Security groups act as stateful firewalls.
Because only ALLOW rules can be created, the most permissive rule is used for the evaluation The default is always DENYĪLL rules on ALL applied security groups are evaluated. More than one security group may be applied to an instanceĪ single security group may be applied to many instances If you’re unfamiliar with AWS, an “EC2 instance” is essentially what AWS calls their virtual machines.įirst, we will take a look at what the core differences are between the two firewalls.Īpplied logically on the instance level, but physically on the hypervisor level
Differentiating between what these firewalls can and cannot do, as well as when you may want to use them may be confusing.
Amazon Web Services has two different kinds of “firewalls” which can be used for host and network segmentation: Security Groups and Network Access Control Lists.
