I notice that the security group does not have the option to deny traffic while NACL can do that, but technically any traffic not in the allowed rules is traffic to be denied from the sg point of view, are there any design tricks underneath it or it is what it is?
There are some more details about security group and NACL which I did not wrote in this article (but you question made me feel I should write another post sometime later to give a more in-depth explanation).
But here is a nutshell:
- Security group by default denies everything -- therefore anything listed in SG is a "allow" rule;
- On the other hand NACL does not have a deny-everything by default, here is the quote from AWS document: "By default, it allows all inbound and outbound traffic";
because SG is for instance (personal lock): it make more sense to be stateful and deny everything. "only I can open the park lot door and don't need to check when I leave"
while the ACL is for the subnet (bigger scope), the security guard can't remember all the people in and out. so rule is stateless and default allow. "business as usual, but don't let in or out if a car is missing a license plate"
I notice that the security group does not have the option to deny traffic while NACL can do that, but technically any traffic not in the allowed rules is traffic to be denied from the sg point of view, are there any design tricks underneath it or it is what it is?
Yupeng, great question.
There are some more details about security group and NACL which I did not wrote in this article (but you question made me feel I should write another post sometime later to give a more in-depth explanation).
But here is a nutshell:
- Security group by default denies everything -- therefore anything listed in SG is a "allow" rule;
- On the other hand NACL does not have a deny-everything by default, here is the quote from AWS document: "By default, it allows all inbound and outbound traffic";
good analogy.
because SG is for instance (personal lock): it make more sense to be stateful and deny everything. "only I can open the park lot door and don't need to check when I leave"
while the ACL is for the subnet (bigger scope), the security guard can't remember all the people in and out. so rule is stateless and default allow. "business as usual, but don't let in or out if a car is missing a license plate"