Ayyappu MK

AWS EMR (Amazon Elastic MapReduce) - is used for big data reading/processing and analysis / process applications with data intensive workload AWS Kinesis  - real-time streaming data AWS Custom Kinesis Streams Applications  - to analyze data and move analyze outcomes to other systems VPC Peering  - for inter-region private connection VPC Endpoints  - private link; should be used with VPC Peering for inter-region connection NAT Gateway  - allows private instances to download updates from internet; AWS recommends creating a NAT Gateway in each AZ CloudWatch Alarms  - can do auto-scaling, EC2 actions, SNS notifications etc., Amazon Kinesis Data Firehose - is used to ship data to other AWS services (not for analysis) AWS RDS (Amazon Relational Database Service) - is an SQL DB. It works on OLTP Amazon DynamoDB - is a No-SQL DB. It is used for light-weight and durable storage AWS Direct Connect - is used to establish a network connection from on premises to A...

Security group - instance level NACL - subnet level

The default ACL settings will allow all traffic (both inbound and outbound) whereas the default settings in security group denies all traffic.

The evaluation of rules in security groups and network access control list are totally different. In security groups, all the rules are evaluated before allowing a traffic. Whereas in network access control list, it is done in the order of the rule number, that is, from top to bottom. If you set a rule which are allowe http traffic from a particular IP in rule number 99 and if you also set a rule number 100 which denies the http traffic from the same IP address, then the traffic from that particular IP address is not denied because rule #99 is executed prior to rule #100, that is, the rule on top (if you see in console) is executed first, then the below. Hence in this case deny followed by allow is not actually denied whereas allow followed by deny takes the precedence that it is actually denied. Thus in an NACL rule, it is always good to have the deny rules first and the allow rules next. Tip: Write deny rules for specific ports. Example port 80.

In security groups, if you add an inbound rule for port 80, then an outbound rule for port 80 it is automatically added. You don't need to explicitly add an outbound rule in security groups if you add an inbound rule. This is not true in NACL i.e., the inbound and outbound rules have to be defined explicitly. FAQ 1: Suppose I add an inbound rule for port 80 in a security group, an outbound rule for port 80 will be added by default. In this case, will I see an explicit outbound rule for port 80 in that security group in AWS console? Ans: No. It is inherently added. FAQ 2: I don't want to allow incoming traffic on port 80 but to deny all incoming traffic on port 80 - How to do this in a security group? Ans: You don't need to do anything for this in a security group because everything is denied by default in security groups. This means, you set rules only to allow. On contradiction, in NACLs, you can set rules both to deny and allow. This gives you more control.