3

I'm currently setting up several subnets on Amazon VPC. For example I've got a subnet for the database servers, one for the webservers and one for the load balancers. I try to restrict the access to these subnets as much as possible. Right now we create ACLs and security groups with the same set of rules and assign them to the subnets/instances.

Would it be ok to just use one of them? Which would you prefer to use? Or do I miss something which requires creating and maintaining both of these?

soupdiver
  • 807
  • 2
  • 9
  • 26

1 Answers1

5

There's nothing that requires both of these, but as long as you're already creating both, you might as well continue doing so, to support a "defense in depth" philosophy. Security groups are more like iptables rules (software firewall in the Xen host's networking stack), whereas network ACLs are at the network layer and as such, traffic blocked by them is done so at a lower level, further isolated from your VPS.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • You say traffic is blocked at a *higher* level on ACLs. For me it is a *lower* level in sense of earlier/nearer to the network, right? – soupdiver Jul 24 '14 at 14:27
  • 1
    Yes, that's correct. Confusing terminology...I'll make an edit. – EEAA Jul 24 '14 at 14:28
  • Afaik the rules are both on the same place: The entry point in the AWS network. AWS "deploys" the security rules of an instance or a VPC to all locations to make sure they can block every traffic as soon as possible if the instance or the VPC will block it either way. I'm sure the same rules are also applied to the host systems but because of the "deployment to the entry points" there is no difference if you're doing your setting in the ACL or the security groups. – Osterjour Aug 03 '14 at 15:54