Security Group:
It adds a security layer to EC2 instances that control both inbound and outbound traffic at the instance level.
NACL:
NACL also adds an additional layer of security associated with subnets that control both inbound and outbound traffic at the subnet level.
Diif b/w these 2 security parameters:
Security Group | NACL (Network Access Control List) |
It supports only allow rules, and by default, all the rules are denied. You cannot deny the rule for establishing a connection. | It supports both allow and deny rules, and by default, all the rules are denied. You need to add the rule which you can either allow or deny it. |
It is a stateful means that any changes made in the inbound rule will be automatically reflected in the outbound rule. For example, If you are allowing an incoming port 80, then you also have to add the outbound rule explicitly. | It is a stateless means that any changes made in the inbound rule will not reflect the outbound rule, i.e., you need to add the outbound rule separately. For example, if you add an inbound rule port number 80, then you also have to explicitly add the outbound rule. |
It is associated with an EC2 instance. | It is associated with a subnet. |
All the rules are evaluated before deciding whether to allow the traffic. | Rules are evaluated in order, starting from the lowest number. |
It is the first layer of defense. | It is the second layer of defense. |
Create a cutsom VPC with VPC & more option.
CIDR:10.0.0.0/24
Selection of diff parameters as shown:
Workflow of custom VPC creation.
Launch an UBUNTU EC2 instance(t2.micro)
Selection of custom VPC & Subnet for instance creation.
Connect this instance & check the python pkg is available or not.
Try to access the server by using public IP followed by port no.
Expose the application port in order to access(by defining the custom rule in the Security Group).
After exposing the port the URL is accessible now.
Changes made in NACL:
Select NACL ID associated with Demo-vpc
Here all the traffic is allowed with Rule number-100
What is Rule number?
Each rule has a number from 1 to 32766. We evaluate the rules in order, starting with the lowest numbered rule, when deciding whether allow or deny traffic.
Creating the Denying rule with lower rule no will restrict the inbound traffic.
If we try to access the application it'll not be accessible.
Again customize the NACL rule with some changes. Here Rule number 100(All traffic) will be served first over 110(Port no.-8000).
Again try to access the application.
