Virtual private clouds (VPCs) can implement access control not only through network access control lists (ACLs) but also by leveraging the access control capabilities of cloud resources. For example, Elastic Compute Service (ECS) uses security groups, whereas Server Load Balancer (SLB) and ApsaraDB RDS employ whitelists for access control. This topic describes various ways to achieve access control.
Access control within a VPC can be implemented using the following methods:
Network ACL: A network ACL is a feature within VPC that provides network access control. By creating network ACL rules and associating them with a vSwitch, you can manage inbound and outbound traffic for ECS instances connected to the vSwitch.
Security group: A security group acts as a virtual firewall with status detection and packet filtering capabilities and allows you to segment security domains in the cloud. You can configure security group rules to manage inbound and outbound traffic for one or more ECS instances within the group.
RDS whitelist: To access an ApsaraDB RDS instance in a VPC, you need to add the IP address of the cloud server to the whitelist of the RDS instance. This grants the cloud server access to the RDS instance while blocking access from other IP addresses.
SLB whitelist: The SLB distributes the inbound traffic across multiple backend cloud servers according to forwarding rules. You can configure a SLB listener to allow only specific IP addresses to forward requests to your application. This is applicable in scenarios where you want to restrict access by permitting requests only from designated IP addresses.
Network ACLs manage data flow through associated vSwitches, whereas security groups control data flow through connected ECS instances. The following table compares network ACLs and security groups:
Item | Network ACL | Security group |
Application scope | vSwitches | ECS instances |
Status of returned traffic | Stateless: Returned data must be allowed by rules. | Stateful: Returned data is automatically allowed and not affected by any rules. |
Whether rules are evaluated | Not all rules are evaluated. Rules are processed in the order they take effect. | All rules are evaluated before execution. |
Association with ECS Instances | A vSwitch can only be associated with one network ACL. | An ECS instance can be associated with multiple security groups. |
The following diagram illustrates how network ACLs and security groups are applied to ensure network security:
