There are indeed some key differences between security groups in the VPC and network access controls in it. The NACL can be applied at a subnet level and therefore instances which are in the subnet will automatically follow NACL rules. But, with security groups, these have to be specifically assigned to an instance. When you have a
Virtual Private Cloud you have a default NACL that lets in all traffic, whether outgoing or incoming. When you wish to restrict the access at this level you need to create custom NACL and give it custom rules. So, the NACLs work stateless, not like the security groups. The security groups are considered to be stateful. When you add inbound traffic rules for a port, the outbound is automatically allowed and no separate rule must be added for this specifically. However, in the case of NACLs you must provide clear outbound and inbound traffic rules.
In NACL it is possible to set rules for both allowing and denying traffic but in security groups, it is not possible to deny from any specific instance. Everything is denied by default; so, you must set rules for allowing traffic. Besides, the security groups will take into account all rules before they allow any traffic. However, the NACLs use a number order. So, in case the number 0 rule allows traffic and the rule number 50 disallows traffic, all traffic will in any case be allowed depending on the first rule. This is why it is recommended that the “deny” rules should be placed top of the order in NACL and these should be then followed by the “allow” rules. In putting deny rules first, you must start with stating the “narrow” deny rules meant for particular ports and then make the allow rules.
_________________
Sales:
[email protected]Links To Our Service Pages:Data Center |
Cloud Hosting |
VPS Hosting |
Colocation in India 
1-800-212-2022
Talk to Experts
Live Chat
Login 
Register 
FAQ 
Search 
