Security Groups
- AWS uses security group as a security fence (firewall) around network interface of ec2 and Network ACL as a security fence around subnet
- Azure user Network security group which can be applied to both subnets and network interfaces
AWS Specifics
-
overview
-
Network ACL:
- There is a default NACL i.e. created with every vpc which allows all incoming and outgoing packets
- Network ACL can allow or deny packets
- Rules will be evaulated on the basis of priority, lower the rule number higher the priority
-
*in the rule represents lowest priority and higesth number -
Network ACL Rule consits of
- source/destination
- protocol
- port
- action => allow or deny
- rules
- 100 100.100.100.100/32 tcp 80 deny
- 110 Any ip any protocol 22 allow
-
- Any ip any protocol any port deny
- Rule numbers can be writtent in the range of 1 to 32766
- Best Practices:
- dont write rules with consecutive numbers.
- never start writing rules from 1 start from 300 or 100 …
- Security group: can be applied to network interfaces. it has only allow list.
Azure Specifics
- NSG can be applied to subnet as well as network interfaces
- NSG has
- incoming (inbound) and outgoing (outbound) rules
- Each NSG rule has
- priority
- port
- protocol
- source/destination
- Action (allow or deny)
- Lower the number higher the priority and rules are executed according to priority
- Priority has values between 100 and 4096
- Dont start from 100 start from 300/400. leave spaces between rules
- NSG is generic and doesnot belong to any network. you can apply nsg to nic or subnet
AWS
- Allow ping to all the ec2 instances in the subnet
Azure
- Allow ping to all the vms in the subnet
