I am happy to share that have passed another AWS cloud certification exam. The training and sponsorship was provided by Rackspace Cloud (AWS partner). This exam “AWS Cloud Practitioner” is relatively very simple in comparison to “AWS Solutions Architect“. I finished it in almost half the time given in exam.
The certificate is issued by AWS Training and Certification.
Feel free to reach out to me if for any help, assistance, guidance or motivation related to AWS certification.
If you have many instances, managing the firewalls using Network ACL can be very useful. Otherwise, with Security group, you have to manually assign a security group to the instances.
State: Stateful or Stateless Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened. Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.
Rules: Allow or Deny Security group support allow rules only (by default all rules are denied). e.g. You cannot deny a certain IP address from establishing a connection. Network ACL support allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection example: Block IP address 22.214.171.124 from establishing a connection to an EC2 Instance.
Rule process order All rules in a security group are applied whereas rules are applied in their order (the rule with the lower number gets processed first) in Network ACL. i.e. Security groups evaluate all the rules in them before allowing a traffic whereas NACLs do it in the number order, from top to bottom.
Defense order Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic. Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.
Occurrence Subnet can have only one NACL, whereas Instance can have multiple Security groups.