AWS NACL与安全组 - 芒果文档

📌 相关文章

📜 AWS NACL与安全组

📅 最后修改于: 2020-11-07 03:47:52 🧑 作者: Mango

什么是安全组?

它将安全层添加到EC2实例，以在实例级别控制入站和出站流量。

什么是NACL?

NACL还添加了与子网关联的附加安全层，以控制子网级别的入站和出站流量。

合并安全组和NACL

每个NACL存在的最大规则数：20

每个安全组可以存在的最大规则数：50

每个实例可以存在的最大安全组数量：5

每个实例可以存在的最大规则数：5 * 50 + 20 = 270

黑白安全组和NACL的区别

Security Group	NACL (Network Access Control List)
It supports only allow rules, and by default, all the rules are denied. You cannot deny the rule for establishing a connection.	It supports both allow and deny rules, and by default, all the rules are denied. You need to add the rule which you can either allow or deny it.
It is a stateful means that any changes made in the inbound rule will be automatically reflected in the outbound rule. For example, If you are allowing an incoming port 80, then you also have to add the outbound rule explicitly.	It is a stateless means that any changes made in the inbound rule will not reflect the outbound rule, i.e., you need to add the outbound rule separately. For example, if you add an inbound rule port number 80, then you also have to explicitly add the outbound rule.
It is associated with an EC2 instance.	It is associated with a subnet.
All the rules are evaluated before deciding whether to allow the traffic.	Rules are evaluated in order, starting from the lowest number.
Security Group is applied to an instance only when you specify a security group while launching an instance.	NACL has applied automatically to all the instances which are associated with an instance.
It is the first layer of defense.	It is the second layer of defense.