Network Access Control Lists vs. Security Groups

  Amazon Web Services (AWS), Networking, VPC

https://www.udemy.com/aws-certified-solutions-architect-associate/learn/v4/t/lecture/2801642?start=0

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html

Security Group Network ACL
Operates at the instance level (first layer of defense) Operates at the subnet level (second layer of defense)
Supports allow rules only Supports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rules Is stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow traffic We process rules in number order when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on Automatically applies to all instances in the subnets it’s associated with (backup layer of defense, so you don’t have to rely on someone specifying the security group)

 

  • Network ACL (Access Control List)
    • Default ACL allow all inbound and out bound traffic by default.
    • Custom ACLs block all traffic by default

Exam Tips

  • You VPC automatically comes with a default network ACL and by default it allows all outbound and inbound traffic.
  • You can create a custom network ACL.  By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
  • Each subnet in your VPS must be associated with a network ACL.
    • If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
  • You can associate a newrok ACL with multiple subnets, however, a subnet can only be associated with one ACL at a time.
    • When you associate a subnet with an ACL, the previous ACL is removed.
  • An ACL contains a numbered list of rules that are evaluated in order, starting with the lowest numbered rule.
  • ACLs have deparate inbound and outbound rules and each rule can either allow or deny traffic.
  • Network ACLs are stateless.  Responses to allow inbound trafic are subject to the rules for outbound traffic (and vice versa).
  • You can only block specific IPs or ranges of IPs using ACLs.  You cannot do this with Security Groups.

LEAVE A COMMENT