1.安全组:
安全组就像一个虚拟防火墙。它具有入站和出站安全规则,其中默认情况下在AWS EC2上以私有方式阻止所有入站流量。它不允许使用特定的协议,没有人可以使用该协议访问我们的实例。默认情况下,您可以使用该规则来阻止流量,所有被拒绝的内容都可以阻止。 EC2实例上有多个安全组。我们不能使用该安全组而是使用网络访问列表来阻止特定IP地址。在其中编辑任何规则的效果更快的安全组。
2.网络访问控制列表(网络ACL):
网络ACL是可修改的默认网络。它允许所有入站或出站IPv4通信,在这里我们创建一种类型的自定义网络全部或每个自定义网络ACL拒绝所有入站和出站通信。此网络是无状态且单独的入站和出站规则,两个规则的默认限制为20,并从编号最小的规则开始。其中VPC中的所有子网必须与网络ACL组合在一起,一次只能有一个子网-一个网络ACL。它支持规则和拒绝规则并操作子网级别。
安全组和网络ACL之间的区别:
Security Group | Network Access Control List |
---|---|
In security group, we operates at instance level. | In network ACL, we operate sub net level. |
It support only allow rules. | It support allow rules and deny rules. |
It is stateful, when we create an inbound or an outbond rule. | It is stateless, it return traffic must be allowed explicitly. |
We can block specific IP address using SGs. | We can block specific IP Address using NACL. |
All rules are evaluted before deciding to permit trffic. | Rules are processed in number order when deciding wheather allow traffic. |
It start with instance launch confriguation. | In which we assigned to subnet for all instance. |
It applies when someone specifies security group when launching the instance and it assoicates with security group. | They do not depend on user it automatically apply all instances with subnet. |