Skip to main content

NACL - deny rules first, allow rules next

The evaluation of rules in security groups and network access control list are totally different.

In security groups, all the rules are evaluated before allowing a traffic.

Whereas in network access control list, it is done in the order of the rule number, that is, from top to bottom. If you set a rule which are allowe http traffic from a particular IP in rule number 99 and if you also set a rule number 100 which denies the http traffic from the same IP address, then the traffic from that particular IP address is not denied because rule #99 is executed prior to rule #100, that is, the rule on top (if you see in console) is executed first, then the below.

Hence in this case deny followed by allow is not actually denied whereas allow followed by deny takes the precedence that it is actually denied.

Thus in an NACL rule, it is always good to have the deny rules first and the allow rules next.

Tip: Write deny rules for specific ports. Example port 80.

Comments

Post a Comment

Popular posts from this blog

AWS Route53 - Private Hosted Zone

Post a Comment
Read more

AWS - Error - An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired

Error:   An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired. Reason: It occurred when I ran a MAKE command with a profile having expired token (security credentials) Fix: Generate new security credentials (aws sts assume-role) and run the command again
Post a Comment
Read more

High availability (Multi-AZ) for Amazon RDS

There is something called failover technology in Amazon. AWS RDS's Multi-AZ deployment uses this technology. If you enable Multi-AZ for an RDS DB, say MySQL DB, RDS automatically creates a standby replica in a different AZ. If the primary DB instance is in AZ-1A, then RDS creates a standby replica in AZ-1B (for example). Suppose I add a new row to a table in the primary DB, then the same row is added, almost in the same time, in the standby replica. This is called as synchronous replication . Thus, standby replicas are useful during DB instance failure/ AZ disruption . How? Because, there is no need to create a backup later because the backup has already been created. This gives high availability during planned system maintenance. Normal backup  operation - I/O activities are blocked in the primary database  Automated backup operation (standby replica) - I/O activities are not blocked This standby replica is not similar to read replica (which is used for disaster recovery). S...
Post a Comment
Read more