Skip to main content

Network ACLs are stateless while security groups are stateful - What does it mean?

In security groups, if you add an inbound rule for port 80, then an outbound rule for port 80 it is automatically added. You don't need to explicitly add an outbound rule in security groups if you add an inbound rule. This is not true in NACL i.e., the inbound and outbound rules have to be defined explicitly.

FAQ 1:
Suppose I add an inbound rule for port 80 in a security group, an outbound rule for port 80 will be added by default. In this case, will I see an explicit outbound rule for port 80 in that security group in AWS console?

Ans:
No. It is inherently added.

FAQ 2:
I don't want to allow incoming traffic on port 80 but to deny all incoming traffic on port 80 - How to do this in a security group?

Ans:
You don't need to do anything for this in a security group because everything is denied by default in security groups. This means, you set rules only to allow. On contradiction, in NACLs, you can set rules both to deny and allow. This gives you more control.
Labels:

Comments

Post a Comment

Popular posts from this blog

AWS Route53 - Private Hosted Zone

Post a Comment
Read more

High availability (Multi-AZ) for Amazon RDS

There is something called failover technology in Amazon. AWS RDS's Multi-AZ deployment uses this technology. If you enable Multi-AZ for an RDS DB, say MySQL DB, RDS automatically creates a standby replica in a different AZ. If the primary DB instance is in AZ-1A, then RDS creates a standby replica in AZ-1B (for example). Suppose I add a new row to a table in the primary DB, then the same row is added, almost in the same time, in the standby replica. This is called as synchronous replication . Thus, standby replicas are useful during DB instance failure/ AZ disruption . How? Because, there is no need to create a backup later because the backup has already been created. This gives high availability during planned system maintenance. Normal backup  operation - I/O activities are blocked in the primary database  Automated backup operation (standby replica) - I/O activities are not blocked This standby replica is not similar to read replica (which is used for disaster recovery). S...
Post a Comment
Read more

Application Load Balancer (ALB)

The ALB spans all subnets in a VPC i.e., it is not inside a subnet but VPC. ALB is bound to Target Groups (TGs). TGs are bound to subnets.
Post a Comment
Read more