What are the differences between Security Groups and NACL in Amazon Web Services ?
Security Groups (SG)
Security groups, act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.
Security groups can also be used by AWS services such as Amazon RDS, Amazon Redshift, Amazon EMR, and Amazon ElastiCache.
By default, Security Groups allow only outbound traffic and block all incoming traffic. To enable inbound traffic, we have to specify the protocol, port and source.
VPC is like a house and subnets are like rooms, security group is like (fire)wall.
Network Access Controls Lists (NACL)
Network access controls lists (ACLs) act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.
NACL is at subnet level.
In a VPC, the default NACL is set to allow all inbound and outbound traffic. If you deploy a custom NACL, then all inbound and outbound traffic is blocked.
Security Groups control traffic flow at the instance level whereas NACLs control traffic at the subnet level.
Security Groups can thus be used to enable traffic flow between different types of instances within a subnet itself which NACLs cannot control.
NACL and Security Groups work in collaboration with each other to offer a more complete security setup.
| Security Groups | NACL |
|---|---|
| Security groups are stateful (changes applied to an incoming rule will be automatically applied to the outgoing rule) | NACLs are stateless (changes applied to an incoming rule will not be applied to the outgoing rule) |
| By default, Security Groups allow only outbound traffic and block all incoming traffic | By default, NACL is set to allow all inbound and outbound traffic |
| Security groups are tied to an instance | Network ACLs are tied to the subnet |
| Firewall of EC2 Instances | Firewall of Subnet |
| Security group support ALLOW rules only (by default all rules are denied) | Network ACL support ALLOW and DENY rules |
| All rules in a security group are applied | NACLs apply rules in number/priority order, from top to bottom |
| Applies to an instance only if specified the security group | Automatically applies to all instances in the subnets it's associated with |
| Can not block specific IP address | Can block specific IP address |
Related AWS Articles: AWS Certified Cloud Practitioner Practice Exam 2
Good Article, Alots of information provided, Thanks for sharing this information
ReplyDeleteBig Data Hadoop Course
good information for sharing us providing lot information
ReplyDeleteBig Data and Hadoop Online Training