AWS: Security Group vs Network ACL

You can secure your VPC instances using only security groups; however, you can add network Network access control lists (ACLs) as an additional layer of defense.

Comparison of Security Group & Network ACL, from the official documentation:

Security Group Network ACL
Operates at the instance level

Acts as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
Operates at the subnet level

Acts as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
Supports allow rules only Supports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rules Is stateless: Return traffic must be explicitly allowed by rules
All rules are evaluated before deciding whether to allow traffic Rules are processed  in number order when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on Automatically applies to all instances in the subnets it's associated with (therefore, you don't have to rely on users to specify the security group)
Your VPC includes a default security group whose initial rules are to deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances in the group. You can't delete this group; however, you can change the group's rules. Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.

Comments

Popular posts from this blog

Maven Crash Course - Learn Power Query, Power Pivot & DAX in 15 Minutes

"Data Prep & Exploratory Data Analysis" course by Maven Analytics

Oracle Cloud Infrastructure 2024 Generative AI Professional Course & Certification Exam (1Z0-1127-24)