NACL and Security Groups:
Archietctre:
1. Security Groups are attached with every EC2 instance.
2. NACLs are situarted at boundary level- at subnet bounadries.
Firewall type:
1. NACLs are Stateless firewalls- meaing they don't keep track of packest going in and out. Everytime a packet leaves a boundary, the NACL checks if this packet is going to be allwed or not, and every time a packet comes inside the boundary, it checks again if the packet is allowed to enter or not. As an analogy, NACL can be condidered as Passwport Control, which even if remebers you by face, will check for your visa and passport before letting you in.
2. Security groups are stateful firewalls- meaning they remember what packet left and do not check when they come back. They keep track of ecah packet going out and in. As an analogy, they can be considered as a security guard siitng at the front gate, who remenbers who went out and let him in.
Traffic:
1. As NACL is stateles, it makes the decision to let a packet go out and In based on rles defined on paramteres- ip, port and protocol. It has separate rule sets for Inbound and Outbound traffic and evaluated independently.
2. As Secruity Groups are stateful, they only care about Inbound packets/ traffci based on rules not outgoing. By defualt, the policy is Deny All for Inbound and Allow All outbound so one has to explicitly define what traffic needs to be allowed In. Packets going out of the Secruity Groups are rememebered on basis of source address and thus are allowed in without any check.
Are NACL and Secruity Groups are redundant?
Not really, as discussed, NACL only inspects the traffic ging in and out of a boundary of a subnet. But there could be many EC2 instances within one subnet and they need to be regulated based on Secrutiy groups rules.
Archietctre:
1. Security Groups are attached with every EC2 instance.
2. NACLs are situarted at boundary level- at subnet bounadries.
Firewall type:
1. NACLs are Stateless firewalls- meaing they don't keep track of packest going in and out. Everytime a packet leaves a boundary, the NACL checks if this packet is going to be allwed or not, and every time a packet comes inside the boundary, it checks again if the packet is allowed to enter or not. As an analogy, NACL can be condidered as Passwport Control, which even if remebers you by face, will check for your visa and passport before letting you in.
2. Security groups are stateful firewalls- meaning they remember what packet left and do not check when they come back. They keep track of ecah packet going out and in. As an analogy, they can be considered as a security guard siitng at the front gate, who remenbers who went out and let him in.
Traffic:
1. As NACL is stateles, it makes the decision to let a packet go out and In based on rles defined on paramteres- ip, port and protocol. It has separate rule sets for Inbound and Outbound traffic and evaluated independently.
2. As Secruity Groups are stateful, they only care about Inbound packets/ traffci based on rules not outgoing. By defualt, the policy is Deny All for Inbound and Allow All outbound so one has to explicitly define what traffic needs to be allowed In. Packets going out of the Secruity Groups are rememebered on basis of source address and thus are allowed in without any check.
Are NACL and Secruity Groups are redundant?
Not really, as discussed, NACL only inspects the traffic ging in and out of a boundary of a subnet. But there could be many EC2 instances within one subnet and they need to be regulated based on Secrutiy groups rules.
Comments