forked from docs/virtual-private-cloud
proposalbot
05dbe4edc7
For deta Reviewed-by: Hajba, László Antal <laszlo-antal.hajba@t-systems.com> Co-authored-by: proposalbot <proposalbot@otc-service.com> Co-committed-by: proposalbot <proposalbot@otc-service.com>
7.0 KiB
7.0 KiB
- original_name
en-us_topic_0052003963.html
Differences Between Security Groups and Firewalls
You can configure security groups and firewall to increase the security of ECSs in your VPC.
- Security groups operate at the ECS level.
- firewalls protect associated subnets and all the resources in the subnets.
For details, see Figure 1 <en-us_topic_0052003963__fig9582182315479>.
Table 1 <en-us_topic_0052003963__table53053071174845> describes the differences between security groups and firewalls.
| Category | Security Group | Firewall |
|---|---|---|
| Targets | Operates at the ECS level. | Operates at the subnet level. |
| Rules | Does not support Allow or Deny rules. | Supports both Allow and Deny rules. |
| Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. |
| Usage | Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs. | Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets. |
| Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. |