Skin
Layout Boxed
Direction

VPC Security - Security Groups vs. Network Access Control Lists (ACLs)

Submitted by heartin on Sun, 02/25/2018 - 18:17

Amazon VPC provides following features to increase and monitor the security for your VPC:

  1. Security groups - Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.

  2. Network access control lists (ACLs) - Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.

  3. Flow logs - Capture information about the IP traffic going to and from network interfaces in your VPC.

 

Security Groups vs. Network Access Control Lists (ACLs)

  1. Layer of defense

    1. Security group operates at the instance level (first layer of defense)

    2. Network ACLs operates at the subnet level (second layer of defense)

  2. Allow and Deny

    1. Security group supports allow rules only.

      1. By default everything is denied.

    2. Network ACLs supports allow and deny rules.

      1. E.g. Can deny a specific IP.

  3. Stateful vs. Stateless

    1. Security group is stateful: Return traffic is automatically allowed, regardless of any rules

      1. When you add a rule, it apples for not in and out traffic.

    2. Network ACLs is stateless: Return traffic must be explicitly allowed by rules

  4. Rule evaluation

    1. Security group evaluate all rules before deciding whether to allow traffic.

    2. Network ACLs process rules in number order when deciding whether to allow traffic.

  5. Scope

    1. Security group applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on

    2. Network ACLs automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group)

 

Important Notes (Exam Tips)

  1. Default Network ACL with VPC allows all inbound and outbound traffic. With custom Network ACL all inbound and outbound traffic is denied by default.

  2. One subnet can only be associated with one Network ACL.

  3. We can block IP addresses explicitly (Deny) with Network ACLs but not with Security groups. With Security groups everything is denied by default and you need to explicitly allow everything.

References (Deprecated): 

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html

Tags: 

AWS Networking Services

Partners and Platforms

Learn Serverless from Serverless Programming Cookbook

Contact

Please first use the contact form or facebook page messaging to connect.

Offline Contact
We currently connect locally for discussions and sessions at Bangalore, India. Please follow us on our facebook page for details.
WhatsApp (Primary): (+91) 7411174113
Phone (Escalations): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.

About

CloudMaterials is my blog to share notes and learning materials on Cloud and Data Analytics. My current focus is on Microsoft Azure and Amazon Web Services (AWS).

I like to write and I try to document what I learn to share with others. I believe that knowledge is useless unless you share it; the more you share, the more you learn.

Partner Sites

Recent comments

Photo Stream