Security Groups
|
Network
Access Control List
|
Instance
Level
Applies
only to an instance if a security group is associated to it.
|
Subnet Level
Applies to all instances created
inside the subnet.
|
Allow
rules only
One
can specifiy only allow rules in the security group. e.g. if your app server
needs to conect to RDA instace, you shall specify 3306 port for an app
server IP.
|
Allow and deny rules
In NACL, one can specify the deny
rules as well
|
Evaluate
all rules before allowing traffic
Security group evaluate all rules before the traffic
reaches the instance.
|
Rules are processed in numeric
order
ACL evaluates the traffic in the
numeric order and return when there is a match.
|
Return
traffic is automatically allowed regardless of any rules
If
you have inbound rule for a request to pass through the port 80, then
whatever the response it may be, security group will not evaluate the
outbound rules and let the response go out through the security group.
|
Return traffic must also be
explicitly allowed by the rules
NACL requires to explicitly
defines the out bound rule to pass through the return response.
|
Comments
Post a Comment