You can configure security groups and firewall to increase the security of ECSs in your VPC.
- Security groups operate at the ECS level.
- Firewalls operate at the subnet level.
For details, see Figure 1.
Table 1 describes the differences between security groups and firewalls.
Category |
Security Group |
Firewall |
|---|---|---|
Targets |
Operates at the ECS level. |
Operates at the subnet level. |
Rules |
Supports both Allow and Deny rules. |
Supports both Allow and Deny rules. |
Priority |
If there are conflicting rules, they are combined and applied together. |
If rules conflict, the rule with the highest priority takes effect. |
Usage |
Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs. |
Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets. |
Packets |
Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. |
Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. |