Network ACL:
- Its is a function performed on the implied router.
- NACL is on optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of the one or more subnets
- Your VPC automatically comes with a modifiable default network ACL by default, it allows inbound and outbound IPV4 traffic and if applicable, IPV4 traffic.
- You can create a custom network ACL and associate it with a subnet by default, each custom network ACL denies all inbound and outbound traffic until you add rules.
- Each subnet in your VPC must be associated with a network ACL if you don't explicity associate a subnet with a network ACL the subnet is automatically associated with the default network ACL
- You can associate a network ACL with multiple subnet, However a subnet can be associated with only one network ACL at a time when you associated a network ACL with a subnet the previous associated is removed.
- A network ACL contains a number list of rules that we evaluate in order, starting with the lowest numbered rule.
- The highest number that you can use for a route is 32766 recommended that you start by creating rules with route number that a multiple of 100, so that you can insert new rules where you need later.
- It functions at the subnet levels.
- NACL are allowed inbound traffic must be explicity allowed too.
-You can have permit and deny rules in NACL.
Security Group:
- Operate at Instance level
- Support allows rules only.
- Stateful, Return traffic is automatically allowed regardless of any rules.
- We evaluate all rules before deciding wether to allow traffic.
- Applies to an instance only if someone specifies the security group when launching the instance or associate the security group with the instance later on.
NACL:
- Operate at the subnet level.
- It permits allows as well as deny rules.
- Stateless, Return, Traffic must be explicitly allowed by rules.
-We process all rules before deciding wether to allow traffic.
- Applies to all instance in the subnet its associated with therefore, an additional layer of default in the security group rules are too permissive.
- Its Act as a firewall for associated subnets, controlling but inbound and outbound traffic at the subnet level.
Flow Logs - Capture information about the IP traffic going to and from network interface in your VPC
VPC Peering:
- A VPC peering connection is a networking between two VPC that enables you to route traffic between them using private IPV4 address or IPV6 address.
- Instance in either VPC can communicate with each other as if they are within the same network.
- You can create a VPC peering connection between your own VPC or with a VPC is another AWS account the VPC can be is different region.
VPC Endpoint:
- A VPC endpoint enables you to privately AWS services instance in your VPC do not communicate with resource in the service.
- Endpoint are virtual device.