Security Groups and Network Access Control Lists
1. What is the difference between Security Groups and Network ACLs in AWS?
Security Groups act as a firewall for associated EC2 instances, controlling inbound and outbound traffic at the instance level. Network ACLs act as a firewall for subnets, controlling inbound and outbound traffic at the subnet level.
2. How does the rule priority work in Network ACLs?
Network ACLs have a separate set of inbound and outbound rules, and each rule is assigned a unique rule number (1-32766). Lower numbered rules take precedence over higher numbered rules, so if a subnet’s traffic matches multiple inbound or outbound rules, the rule with the lowest number is applied.
3. How do Security Groups handle overlapping rules?
Security Groups do not allow overlapping rules. If a new rule is added that conflicts with an existing rule, the new rule will override the previous rule.
4. What is the stateful nature of Network ACLs?
Network ACLs are stateful, meaning that if a rule is created to allow inbound traffic, corresponding outbound traffic is automatically allowed, regardless of outbound rules. The same is true for outbound rules.
5. Can Security Groups or Network ACLs be modified after creation?
Both Security Groups and Network ACLs can be modified after creation by adding or removing rules.
6. What is the difference between “Allow” and “Deny” rules in Security Groups and Network ACLs?
“Allow” rules allow incoming or outgoing traffic that matches the specified conditions, while “Deny” rules block incoming or outgoing traffic that matches the specified conditions.
7. Can Security Groups be assigned to more than one EC2 instance?
Yes, Security Groups can be assigned to multiple EC2 instances.
8. Can a single EC2 instance belong to multiple Security Groups?
Yes, an EC2 instance can belong to multiple Security Groups.
9. Can a Network ACL be assigned to multiple subnets?
No, a Network ACL can only be associated with one subnet at a time.
10. What is the default rule in Network ACLs?
By default, Network ACLs have a rule allowing all inbound and outbound traffic. This rule must be deleted or modified to implement custom inbound or outbound security rules.
11. What is the maximum number of rules that can be added to a Security Group?
A Security Group can have a maximum of 60 inbound rules and 60 outbound rules.
13. Can Network ACLs be used to allow traffic from a specific IP address or range?
Yes, Network ACLs can be used to allow traffic from specific IP addresses or IP address ranges.
14. Can a Security Group rule be used to allow traffic from a specific IP address range?
Yes, a Security Group rule can be used to allow traffic from a specific IP address range.
15. What is the effect of revoking a Security Group rule on associated EC2 instances?
Revoking a Security Group rule will immediately block the specified incoming or outgoing traffic for all EC2 instances associated with that Security Group.
16. What is the effect of revoking a Network ACL rule on subnets?
Revoking a Network ACL rule will immediately block the specified incoming or outgoing traffic for all instances in subnets associated with that Network ACL.
