Skip to main content

Amazon Network

 Amazon Network ACL/SG/CLB/ALB/NLB


Network ACL is the firewall of the VPC Subnets.

Security group is the firewall of EC2 Instances.

NACL can be understood as the firewall or protection for the subnet. These are stateless, meaning any change applied to an incoming rule isn't automatically applied to an outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

 ACLs are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources.

Security group can be understood as a firewall to protect EC2 instances. Security groups are stateful—if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of the inbound rules. This also means that responses to allowed inbound traffic are allowed to flow out, regardless of the outbound rule so no outbound rule is required. E.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.

 

Rules: Allow or Deny

Security group support allow rules only (by default all rules are denied). e.g. You cannot deny a certain IP address from establishing a connection.

Network ACL support allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection example: Block IP address 123.201.57.39 from establishing a connection to an EC2 Instance.

Rule process order

All rules in a security group are applied whereas rules are applied in their order (the rule with the lower number gets processed first) in Network ACL.

i.e. Security groups evaluate all the rules in them before allowing a traffic whereas NACLs do it in the number order, from top to bottom.

Defense order

Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.

Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.

Occurrence

Subnet can have only one NACL, whereas Instance can have multiple Security groups.

CLB/NLB/ALB

Key Differences


ALB  Layer 7 (HTTP/HTTPS traffic), Flexible.

                               NLB — Layer 4 (TLS/TCP/UDP traffic), Static IPs.
                               CLB — Layer 4/7 (HTTP/TCP/SSL traffic), Legacy, Avoid.


·         Application Load Balancer (as the name implies) works at the Application Layer (Layer 7 of the OSI model, Request level). Network Load Balancer works at Transport layer (Layer 7 of the OSI model, Connection level). NLB just forward requests whereas ALB examines the contents of the HTTP request header to determine where to route the request. So, application load balancer is performing content based routing.

·   NLB cannot assure availability of the applicationThis is because it bases its decisions solely on network and TCP-layer variables and has no awareness of the application at all. Generally a NLB determines availability based on the ability of a server to respond to ICMP ping, or to correctly complete the three-way TCP handshake. ALB goes much deeper, and is capable of determining availability based on not only a successful HTTP GET of a particular page but also the verification that the content is as was expected based on the input parameters.

·   When considering the deployment of multiple applications on the same host sharing IP addresses (virtual hosts in old school speak), NLB will not differentiate between Application A and Application B when checking availability (indeed it cannot unless ports are different) but ALB will differentiate between the two applications by examining the application layer data available to it. This difference means that NLB may end up sending requests to an application that has crashed or is offline, but ALB will never make that same mistake.




Comments

Post a Comment