Difference between AWS Network ACL and Security Group

If you have many instances, managing the firewalls using Network ACL can be very useful. Otherwise, with Security group, you have to manually assign a security group to the instances.

State: Stateful or Stateless
Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.
Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

Rules: Allow or Deny
Security group support allow rules only (by default all rules are denied). e.g. You cannot deny a certain IP address from establishing a connection.
Network ACL support allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection example: Block IP address from establishing a connection to an EC2 Instance.

Rule process order
All rules in a security group are applied whereas rules are applied in their order (the rule with the lower number gets processed first) in Network ACL.
i.e. Security groups evaluate all the rules in them before allowing a traffic whereas NACLs do it in the number order, from top to bottom.

Defense order
Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.
Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.

Subnet can have only one NACL, whereas Instance can have multiple Security groups.

credit: https://medium.com/awesome-cloud/aws-difference-between-security-groups-and-network-acls-adc632ea29ae

cloud: Internet is Mesh topology

Internet is Mesh topology. read more to understand 😉

Star topology is singe point of failure, which mean all the devices are connected to hub connected as the center of star with single wire. If hub / switch fails network will go down.

Our home wifi works on wireless star topology, where in all cellphone/devices are connected to router as center of star.

In Mesh topology, one devices is connected with several other devices using multiple wires. (wire mesh). That way if one hub fails, network still works.

Mesh topology is opposite of single point of failure and is redundant, which means even if one router fails, data packet can be relayed or routed using different route or path. Imagine a big house with one in modem and router with multiple wifi extenders, that way if range is week for one extenders, data can still travel using other extender device to reach to modem 🙂

Cloud: what is mac address and how ARP resolves it

Mac address is the unique unchangeable address give to each network address. Technically mac address the real address, ip address is temprary, as you change your address your ip address will change but not your mac address ( when you use airport free wifi your ip is difference)

media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet. Logically, MAC addresses are used in the media access control protocol sublayer of the OSI reference model.

MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card’s read-only memory or some other firmware mechanism.

This is strange but true that all the devices in you home have same public ip address 😉 and that is the public ip of your router provided dynamically by your ISP.

ARP is Address resolution protocol which would help to resolve the public + private ip into a mac address. This get cached as well, so that whenever the communication happens the sender targets it towards mac address