Security group
The Security Group is a stateful packet-filtering virtual firewall that controls network access for single or multiple CVMs. You can add CVM instances within the same region that share the same network security isolation requirements to the same Security Group. By configuring the inbound and outbound rules of the Security Group, you can filter the network traffic (including public and private network traffic) of the associated instances for security.
Enterprise Security Group
The Enterprise Security Group (Enterprise Security Group) is an advanced form of security group, offering more powerful management capabilities and more granular access control. It allows administrators to centrally define a unified security policy template at the VPC level and supports batch management and synchronization of policies across instances, subnets, and even AZs. The Enterprise Security Group simplifies the configuration and maintenance of security policies for large-scale instances.
Internet Boundary
The Internet Border is the boundary point where a VPC or CVM instance directly connects to the public Internet. At this border, internal resources are typically exposed for public network access via public network gateways, EIPs, CLBs, and other means, or internal resources are allowed to actively access the public network. Security policies implemented at this border are primarily used to protect north-south traffic from or to the public network.
NAT Boundary
The NAT Border is the location of a Network Address Translation (NAT) device, typically serving as the boundary point connecting a VPC subnet to the public network. At this border, the NAT Gateway is responsible for translating the private IP addresses of instances within the private subnet into public IP addresses for outbound access, and it can also forward public network traffic to designated private instances. Security policies can be applied to traffic that has undergone NAT conversion at this boundary point.
VPC Boundary
The VPC Border is the boundary for network communication between different subnets within a Tencent Cloud VPC. By configuring network ACLs or routing policies within the VPC, you can implement network access control at the VPC Border, manage east-west traffic between different subnets, and achieve subnet-level isolation and access policies.