- NACL (Network Access Control Lists)
- security Groups
- Host based Firewall, IDS and IPS
- no support for " edge to edge routing "
NACL (Network Aecess control list)
- Applied to subnet as whole
- stateless (Don't remeber TCP sessions)
- As a result must specify ingress and egress rules
- When you create a vpc, Aws will create a default NALC allow all *
- Allow or Deny
- Protocol (Tcp, UDP)
- source destination IP Range
- source destination PORT range (Eg: Ingress 80 and 22 VPN Egress 1024- 65535)
- Applied to the instance.
- therefore can specify ingress and egress rules: but not need to specify both.
- security Groups. all outbound ⇒ allowed, inbound ⇒ deny
- therefore only allow rules, no deny
- protocol (TCP, UD.P) .
- Source IP and Port range for ingress
- Destination EP and Port rang only for engress
When VPC is created, default security group is created. If any EC2 has applied this security goup can talk to each other. If lounging EC2 instance without a security group, default will be the security group for that instance, because there should be at least one security group for each instance.
LB need to initiate connections to backend EC2 servers in the container cluster, which receive traffic from the specified part by the container. Containers has ability to select emphramel port to receive traffic from LB: Dynamic port mapping.
These are the notes created from the video tutorial1. I would like to recommend this for AWS beginners who want more details.
Networking in Amazon Web Services AWS LiveLessons, by Richard A Jones Publisher: Addison-Wesley Professional, Release Date: December 2017, ISBN: 013485084X ↩