Network ACLs vs Security Groups in AWS

Questions and Answers

What is a key difference between Security Groups and Network ACLs?

Security Groups evaluate rules in number order, while Network ACLs process rules before allowing traffic.

Security Groups support allow rules and deny rules, while Network ACLs support allow rules only.

Security Groups operate at the instance level, while Network ACLs operate at the subnet level. (correct)

Security Groups are stateful, while Network ACLs are stateless.

Security Groups are stateful, which means return traffic is automatically allowed.

True

How do Network ACLs process rules when deciding whether to allow traffic?

Evaluate all rules before deciding

Process rules in number order (correct)

Allow traffic without processing rules

Apply rules based on instance type

When do Security Groups apply to an instance?

When someone specifies the Security Group when launching the instance

Study Notes

Network ACLs vs Security Groups

Key Differences

• Security groups operate at the instance level, whereas network ACLs operate at the subnet level.
• Security groups only support allow rules, whereas network ACLs support both allow and deny rules.
• Security groups are stateful, meaning return traffic is automatically allowed regardless of any rules, whereas network ACLs are stateless and require explicit rules to allow return traffic.

Evaluation of Rules

• Security groups evaluate all rules before deciding whether to allow traffic.
• Network ACLs process rules in numerical order when deciding whether to allow traffic.

Application Scenarios

• Security groups only apply to an instance if specified during launch or associated later on.
• Network ACLs automatically apply to all instances in the subnets they're associated with, eliminating the need for user specification.

Description

Compare and contrast Network ACLs and Security Groups in AWS, including their levels of operation, rule types, and traffic evaluation methods.