Differences Between Security Groups and Firewalls¶
You can configure security groups and firewalls to increase the security of ECSs in your VPC.
Security groups operate at the ECS level.
Firewalls protect associated subnets and all the resources in the subnets.
For details, see Figure 1.
Figure 1 Security groups and firewalls¶
Table 1 describes the differences between security groups and firewalls.
Category | Security Group | Firewall |
|---|---|---|
Scope | Operates at the ECS level. | Operates at the subnet level. |
Rules | Does not support Allow or Deny rules. | Supports both Allow and Deny rules. |
Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. |
Usage | Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs. | Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets. |
Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. |