AWS Associate Architect Certification Lecture 19 — Virtual private cloud Theory Part 5
Hi All,
Lets discuss more about NACL and VPC Peering.
NACL — Network ACL(Access control List) :
1. It is a function performed on the implied router.
2. NACL is on optional layer of the security for your VPC for controlling traffic in and out of one or more subnets.
3. Your VPC automatically comes with a modifiable default network ACL. By default it allows all inbound and outbound IPv4 traffic and if applicable IPv6 traffic.
4. You can create a custom network ACL and associate it with a subnet. By default, each custom netwrok ACL denies all inbound and outbound traffic untill you add rules.
5. Each subnet in your VPC associated with network ACL. If you don’t explicitly associate a subnet with a network ACL,the subnet will automatically associated with default network ACL.
6. You can associate a network ACL with multiple subnets . However a subnet can be associated with only one network at a time.When you associate netowrk ACL with a subnet , the previous association is removed.
7. A numbered ACL contains a numbered list of rules that we evaluate in order, starting with lowest numbered rule.
8. the highest number that you can use for a rule is 32766. Recommended that you start by creating rules with rule numbers that a multiple of 100, so that you can insert new rules when you need them later.
9. It functions at the subnet level.
10. NACL are stateless.
11. Outbound traffic for an allowed inbound traffic, must be explicitly allowed too.
12. You can have permit and deny rules in NACL.
Difference between Security group and NACL:
Security Group : Operates on instance level.
NACL : operates on Subnet level.
Security Group : support allows rules only.
NACL : supports allow as well as deny rules.
Security Group : Stateful, return traffic is automatically allowed.
NACL : Return traffic must be allowed by the rules.
Security Group : Applies to an instance only.
NACL : Applies to all instances in the subnet.
VPC peering :
1. A VPC peering is a networking connection between VPC that enables you to route traffic between them using private IPV4/IPV6 addresses.
2. Instances in either VPC can communicate with each other as if they are within same network.
3. You can create a VPC peering connection between your own VPC, or with a VPC in another AWS account. THey VPC can be in another region.
Note : Transitive peering is not possible. if VPC A and C are connected to VPC B. But it does not mean VPC A and VPC can communicate with each other.
