AWS: Security Group vs Network ACL
You can secure your VPC instances using only security groups; however, you can add network Network access control lists (ACLs) as an additional layer of defense.
Comparison of Security Group & Network ACL, from the official documentation:
Comparison of Security Group & Network ACL, from the official documentation:
| Security Group | Network ACL |
|---|---|
| Operates at the instance level Acts as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level |
Operates at the subnet level Acts as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level |
| Supports allow rules only | Supports allow rules and deny rules |
| Is stateful: Return traffic is automatically allowed, regardless of any rules | Is stateless: Return traffic must be explicitly allowed by rules |
| All rules are evaluated before deciding whether to allow traffic | Rules are processed in number order when deciding whether to allow traffic |
| Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on | Automatically applies to all instances in the subnets it's associated with (therefore, you don't have to rely on users to specify the security group) |
| Your VPC includes a default security group whose initial rules are to deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances in the group. You can't delete this group; however, you can change the group's rules. | Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. |
Comments
Post a Comment