Alibaba Cloud provides two key access control mechanisms for network isolation at the instance or vSwitch level within a virtual private cloud (VPC), security groups and network ACLs.
Security group: A security group is a virtual firewall that controls the inbound and outbound traffic of Elastic Compute Service (ECS) instances within a VPC. Deploy ECS instances with the same security needs into a security group to create security domains and protect your cloud resources.
Network ACL: A network ACL controls the inbound and outbound traffic of vSwitches. Attach a network ACL to multiple vSwitches to centrally control their traffic.
Item | Security groups | Network ACLs |
Illustration |  | |
Applicable scope | Instance level Attach a security group to one or more ECS instances. | vSwitch level Attach a network ACL to one or more vSwitches. |
Working mode | Stateful. Returned packets are automatically allowed. For example, to allow inbound traffic on port 80, add an inbound rule for the | Stateless. Returned packets must be manually allowed. For example, to allow inbound traffic on port 80, you must add an inbound rule for the |
Intra-group control policy | Basic security group: Choose to allow or deny traffic between instances. Enterprise security group: Internal isolation is enabled by default. | Do not control traffic between ECS instances that are in the same vSwitch. |
Application scenarios | Control access between instances and allow public inbound traffic on a port. | Isolate at the vSwitch level and enforce access policies across vSwitches. |