About public subnet

0

When every one can access the public subnet resources, what is the use of network ACL at public subnet level?

Rekha
asked a year ago220 views
3 Answers
2

You can use NACLs to block services in a course way. i.e. Block all SSH/RDP in from the public or perhaps you only use your public subnet to host HTTPS based workload, you can allow 443 in and high-level ports out but not other services.

NACLs are for course grain filtering (on per subnet basis).
Security Groups are for fine grained filtering (on per resource basis).

profile pictureAWS
EXPERT
iBehr
answered a year ago
profile picture
EXPERT
reviewed a year ago
  • Thank you!

1
Accepted Answer

Simple answer and the Main one, ONLY in NACL you can create DENY rule lets say you want whole world to access the services (eg, your website)in the subnet however you want to deny some suspicious IP? ONLY in NACL you can create DENY rule, you cant create a DENY in SG. other features are; NACL Works at subnet level and applies to all instances in the subnet. They are stateless, SG is stateful. rules are evaluated in order of rule number when comes to NACL

AWS
PK
answered a year ago
profile picture
EXPERT
reviewed 3 months ago
  • Thank you!

1

Instances on the public subnet are routable through the internet, instances have public IP address and can access the internet, and other can reach it if the traffic is allowed in the security group + Network ACL. NACLs would control who is allowed to establish a connectivity through Network ACL rules. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules

profile pictureAWS
Matt_E
answered a year ago
profile picture
EXPERT
reviewed 3 months ago
  • Thank you!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions