官术网_书友最值得收藏!

NACLs

The second layer of defense is our NACLs. NACLs allow or deny traffic that's coming in or out of the subnet, and are defined as stateless rules that work in exactly one direction. An ACL can be used to define strict rules on network access and provide protection at the network level. The NACLs reside at the entry point to the subnet, and each subnet has a default NACL that is modifiable and can be used to control the traffic when it goes in and out. We can also create additional NACLs, but a subnet in a VPC can only be assigned to one NACL at a time.

NACLs protect subnets within our VPCs in a very similar way to how security groups protect instances. Unlike security groups, NACLs allow all traffic between subnets and gateways by default, so that the security approach that needs to be implemented with NACLs is closing the ports instead of opening them. Also, ACLs can be used when a certain set of IP addresses need to be prevented from accessing our networks; for example, if we need to block certain geographies or a certain set of IPs that have been determined to be malicious.

The following diagram shows how security groups and network ACLs apply within a VPC:

主站蜘蛛池模板: 建始县| 阜新市| 独山县| 乌鲁木齐市| 凌源市| 乐平市| 芜湖市| 喀喇沁旗| 高平市| 乌什县| 瑞丽市| 绥滨县| 东乌| 廊坊市| 克拉玛依市| 桐柏县| 邛崃市| 营口市| 盱眙县| 厦门市| 体育| 奉节县| 肇庆市| 亳州市| 嘉峪关市| 胶南市| 海城市| 枣阳市| 封丘县| 汶川县| 大渡口区| 健康| 永兴县| 高密市| 福鼎市| 贺兰县| 谢通门县| 济宁市| 巴林右旗| 佛山市| 阳原县|