Traduzione da Amazon Translate
Guide

More Than NACLs

The virtual network in the cloud can be secured at different levels, as shown within the picture.

Layers of defense
Layers of defense
Security GroupNetwork ACL
Operates at the instance level (first layer of defense)Operates at the subnet level (second layer of defense)
Supports allow rules onlySupports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rules.Is stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow trafficWe process rules in number order when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later onAutomatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group)

Routing table rules can be used to take advantage of the positive aspects of the two tools described above. Ok, it is not a great discovery but nevertheless the features I will talk about later are not often used.

Routing Table
Operates at the subnet or VPC level (second or third layer of defense)
Supports allow rules and deny rules
A rule enables bidirectional traffic, or only outbound
We evaluate all rules before deciding whether to allow traffic
Automatically applies to all instances in the subnets it's associated with

DENY RULE: Suppose you want to enable all inbound/outbound traffic from a subnet except for a certain IP address.

Deny Rule
Deny Rule

In questo modo la regola sul NAT avrà priorità, poiché più stringente, quindi l’indirizzo 93.149.246.24/32 non potrà raggiungere nessuna EC2 nella subnet, a meno che la macchina in questione non inizi la comunicazione verso il precedente indirizzo.

ALLOW RULE: Suppose we want to enable only one IP address to access the subnet and deny traffic to all others.

Allow Rule
Allow Rule

In questo modo l’indirizzo 93.149.246.24/32 è l’unico a poter accedere alle macchine in rete privata (?) senza necessariamente passare per il bastionhost.

Conclusions

  • Subnet-level protection, like NACLs
  • High Performance, like NACLs
  • Supports allow and deny, like NACLs
  • Stateful layer of defense, like Security Group
  • The most strict rule wins, like Security Group