doc-exports/docs/vpc/umn/en-us_topic_0052003963.html

<a name="en-us_topic_0052003963"></a><a name="en-us_topic_0052003963"></a>

<h1 class="topictitle1">Differences Between Security Groups and <span id="text6704561594">Firewall</span><span id="text6926153553015"></span>s</h1>
<div id="body1529924412665"><p id="en-us_topic_0052003963__p161575913361">You can configure <span id="en-us_topic_0052003963__text597033182618">firewall</span><span id="en-us_topic_0052003963__text159701372612"></span> and security group rules to protect the instances in your VPC, such as ECSs and databases.</p>
<ul id="en-us_topic_0052003963__ul17890193716374"><li id="en-us_topic_0052003963__li889053713375">A security group protects the instances in it.</li><li id="en-us_topic_0052003963__li188901937183713">A <span id="en-us_topic_0052003963__text41892023193317">firewall</span><span id="en-us_topic_0052003963__text11189182343314"></span> protects associated subnets and all the resources in the subnets.</li></ul>
<p id="en-us_topic_0052003963__p21001022202617">For details, see <a href="#en-us_topic_0052003963__fig9582182315479">Figure 1</a>.</p>
<div class="fignone" id="en-us_topic_0052003963__fig9582182315479"><a name="en-us_topic_0052003963__fig9582182315479"></a><a name="fig9582182315479"></a><span class="figcap"><b>Figure 1 </b>Security groups and firewalls</span><br><span><img class="eddx" id="en-us_topic_0052003963__image048361820309" src="en-us_image_0000001818982946.png"></span></div>
<div class="p" id="en-us_topic_0052003963__p93313117488"><a href="#en-us_topic_0052003963__table53053071174845">Table 1</a> describes the differences between security groups and <span id="en-us_topic_0052003963__text830016416344">firewall</span><span id="en-us_topic_0052003963__text1730044153414"></span>s.
<div class="tablenoborder"><a name="en-us_topic_0052003963__table53053071174845"></a><a name="table53053071174845"></a><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0052003963__table53053071174845" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Differences between security groups and <span id="en-us_topic_0052003963__text2012614012485">firewall</span><span id="en-us_topic_0052003963__text91261940194812"></span>s</caption><thead align="left"><tr id="en-us_topic_0052003963__row63488302174845"><th align="left" class="cellrowborder" valign="top" width="14.469999999999999%" id="mcps1.3.5.4.2.4.1.1"><p id="en-us_topic_0052003963__p16252192132814">Category</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="39.77%" id="mcps1.3.5.4.2.4.1.2"><p id="en-us_topic_0052003963__p44965011174845">Security Group</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="45.76%" id="mcps1.3.5.4.2.4.1.3"><p id="en-us_topic_0052003963__p18287275174845"><span id="en-us_topic_0052003963__text2322183011215">Firewall</span><span id="en-us_topic_0052003963__text232233013213"></span></p>
</th>
</tr>
</thead>
<tbody><tr id="en-us_topic_0052003963__row30367752174845"><td class="cellrowborder" valign="top" width="14.469999999999999%" headers="mcps1.3.5.4.2.4.1.1 "><p id="en-us_topic_0052003963__p425252102818">Protection Scope</p>
</td>
<td class="cellrowborder" valign="top" width="39.77%" headers="mcps1.3.5.4.2.4.1.2 "><p id="en-us_topic_0052003963__p1354652013301">Protects instances in a security group, such as ECSs and databases.</p>
</td>
<td class="cellrowborder" valign="top" width="45.76%" headers="mcps1.3.5.4.2.4.1.3 "><p id="en-us_topic_0052003963__p63718581174845">Protects subnets and all the instances in the subnets.</p>
</td>
</tr>
<tr id="en-us_topic_0052003963__row1150541071110"><td class="cellrowborder" valign="top" width="14.469999999999999%" headers="mcps1.3.5.4.2.4.1.1 "><p id="en-us_topic_0052003963__p19505171001110">Rules</p>
</td>
<td class="cellrowborder" valign="top" width="39.77%" headers="mcps1.3.5.4.2.4.1.2 "><p id="en-us_topic_0052003963__p250531081116">Does not support <strong id="en-us_topic_0052003963__b16641857152318">Allow</strong> or <strong id="en-us_topic_0052003963__b166418573236">Deny</strong> rules.</p>
</td>
<td class="cellrowborder" valign="top" width="45.76%" headers="mcps1.3.5.4.2.4.1.3 "><p id="en-us_topic_0052003963__p95051710131117">Supports both <strong id="en-us_topic_0052003963__b189381121122411">Allow</strong> and <strong id="en-us_topic_0052003963__b494418218248">Deny</strong> rules.</p>
</td>
</tr>
<tr id="en-us_topic_0052003963__row3518463174845"><td class="cellrowborder" valign="top" width="14.469999999999999%" headers="mcps1.3.5.4.2.4.1.1 "><p id="en-us_topic_0052003963__p3252321102813">Matching Order</p>
</td>
<td class="cellrowborder" valign="top" width="39.77%" headers="mcps1.3.5.4.2.4.1.2 "><p id="en-us_topic_0052003963__p16560083174845">If there are conflicting rules, they are combined and applied together.</p>
</td>
<td class="cellrowborder" valign="top" width="45.76%" headers="mcps1.3.5.4.2.4.1.3 "><p id="en-us_topic_0052003963__p66298376174845">If rules conflict, the rule with the highest priority takes effect.</p>
</td>
</tr>
<tr id="en-us_topic_0052003963__row59814478174845"><td class="cellrowborder" valign="top" width="14.469999999999999%" headers="mcps1.3.5.4.2.4.1.1 "><p id="en-us_topic_0052003963__p14252172117284">Usage</p>
</td>
<td class="cellrowborder" valign="top" width="39.77%" headers="mcps1.3.5.4.2.4.1.2 "><ul id="en-us_topic_0052003963__ul17357145118514"><li id="en-us_topic_0052003963__li635718511758">When creating an instance, such as an ECS, you must select a security group. If you do not have a security group, a default security group will be created for you.</li><li id="en-us_topic_0052003963__li214615315514">After creating an instance, you can:<ul id="en-us_topic_0052003963__ul07117181112"><li id="en-us_topic_0052003963__li470218471516">Add or remove the instance to or from the security group on the security group console.</li><li id="en-us_topic_0052003963__li18711718815">Associate or disassociate a security group with or from the instance on the instance console.</li></ul>
</li></ul>
</td>
<td class="cellrowborder" valign="top" width="45.76%" headers="mcps1.3.5.4.2.4.1.3 "><p id="en-us_topic_0052003963__p57268308174845">Selecting a <span id="en-us_topic_0052003963__text1913894613819">firewall</span><span id="en-us_topic_0052003963__text1113984616816"></span> is not allowed when you create a subnet. You must create a <span id="en-us_topic_0052003963__text52991717151012">firewall</span><span id="en-us_topic_0052003963__text430251711107"></span>, add inbound and outbound rules, associate subnets with it, and enable <span id="en-us_topic_0052003963__text47554811381">firewall</span><span id="en-us_topic_0052003963__text6758486380"></span>. The <span id="en-us_topic_0052003963__text4241745161110">firewall</span><span id="en-us_topic_0052003963__text026194551113"></span> then protects the associated subnets and instances in the subnets.</p>
</td>
</tr>
<tr id="en-us_topic_0052003963__row3289418310534"><td class="cellrowborder" valign="top" width="14.469999999999999%" headers="mcps1.3.5.4.2.4.1.1 "><p id="en-us_topic_0052003963__p82520212284">Packets</p>
</td>
<td class="cellrowborder" valign="top" width="39.77%" headers="mcps1.3.5.4.2.4.1.2 "><p id="en-us_topic_0052003963__p4718316010534">Packet filtering based on the 3-tuple (protocol, port, and source/destination) is supported.</p>
</td>
<td class="cellrowborder" valign="top" width="45.76%" headers="mcps1.3.5.4.2.4.1.3 "><p id="en-us_topic_0052003963__p6373958110534">Packet filtering based on the 5-tuple (protocol, source port, destination port, and source/destination) is supported.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="vpc_SecurityGroup_0000.html">Access Control</a></div>
</div>
</div>