- Newest
- Most votes
- Most comments
You can use NACLs to block services in a course way. i.e. Block all SSH/RDP in from the public or perhaps you only use your public subnet to host HTTPS based workload, you can allow 443 in and high-level ports out but not other services.
NACLs are for course grain filtering (on per subnet basis).
Security Groups are for fine grained filtering (on per resource basis).
Simple answer and the Main one, ONLY in NACL you can create DENY rule lets say you want whole world to access the services (eg, your website)in the subnet however you want to deny some suspicious IP? ONLY in NACL you can create DENY rule, you cant create a DENY in SG. other features are; NACL Works at subnet level and applies to all instances in the subnet. They are stateless, SG is stateful. rules are evaluated in order of rule number when comes to NACL
Thank you!
Instances on the public subnet are routable through the internet, instances have public IP address and can access the internet, and other can reach it if the traffic is allowed in the security group + Network ACL. NACLs would control who is allowed to establish a connectivity through Network ACL rules. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules
Thank you!
Relevant content
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 years ago
Thank you!