By Pradeep Guda, Solutions Architect at Alibaba Cloud
Recently I encountered some questions related to Network Access Control Lists (NACLs) on Alibaba Cloud. One of the questions I noticed was “Why is Network ACL not available in Alibaba Cloud?”
In this article, I hope to clear out some confusion regarding this topic and provide you with additional insight into server security on Alibaba Cloud Elastic Compute Service (ECS).
What Is Network ACL?
By definition, a network access control list (NACL) is a table, or a list, that tells a server the access rights of a network. It is the first line of defense to block the traffic at a subnet level and it is stateless. This means that you need to open both inbound and outbound ports explicitly to allow traffic based on your needs. For example, we can set the server to allow inbound SSH traffic from your home network’s public IPv4 address range by whitelisting 192.0.2.0/24.
What Is a Security Group?
Similarly, a security group is a virtual firewall and is the last line of defense to block the traffic to your instances. It is stateful, which means outbound port is opened automatically based on your inbound port. For example, you may open Port 22 on an ECS instance to allow SSH traffic to/from that particular instance.
Difference between Network ACL and Security Groups
Network ACLSecurity GroupsAssociated with SubnetAssociated with InstanceFirst line of defenseLast line of defenseBy default, custom NACL blocks all the trafficBy default, blocks all the trafficStatelessStatefulInbound and outbound rules should be created explicitlyOnly Inbound rule should be created explicitly and outbound traffic will be allowed automatically based on the inbound state.
How Network ACL Is Incorporated in AWS and Alibaba Cloud
In AWS, we can create instances without attaching security group to it. However, this is an unsafe instance and typically not recommended, so to protect that instance, Network ACL comes into picture. Network ACL is created by default (System NACL => Allows all traffic by default Or Custom NACL => Denies all traffic by default) when a subnet is created. This Custom Network ACL will block all the traffic and you are required to open the inbound and outbound ports accordingly to allow traffic through Network ACL to your instance.
In Alibaba Cloud, we cannot create instance without binding it to security groups. This means that all instances come with security features by default, and as a result, there is no need for an additional layer of security in the form of Network ACL.
Alibaba Cloud Security Groups provides same functionality as that of AWS Security Groups and Network ACL combined together at an instance level.
Is It Mandatory to Use Network ACL?
No. AWS Network ACL is a completely optional security feature and almost all of the use cases can be achieved with Alibaba Cloud security groups due to the nature of its tightly coupled and simplified design. AWS Network ACL + security group security feature is based on a more loosely coupled design, which provides more flexibility to control traffic at different layers but with extra overhead in maintaining it.
So is AWS or Alibaba Cloud’s approach more secure? The answer is, they are the same. Both Alibaba Cloud and AWS provide the same level of security but through different means, which is determined by their respective designs.
However, the team at Alibaba Cloud may consider supporting Network ACL as a separate service for specific use cases in the future to help AWS users migrate seamlessly to Alibaba Cloud.
Click here to learn more about Alibaba Cloud Security Groups.