NACLs & Security Groups Flashcards
True or false: NACLs are stateless.
True
True or false: Security groups are stateful.
True
True or false: Security groups are placed directly behind the internet gateway (IGW).
False, they are attached to vpcs. NACLs are placed directly behind the IGW.
What is the ephemeral port range?
1024 - 65535
Is there an implicit deny in NACLs?
Yes, it’s denoted by an *.
The default VPC will have two NACL rules. What are they?
The two rules are in the following order:
1) All traffic is allowed within the vpc.
2) Implicit deny.
True or false: NACLs work just like ACLs on router and switches.
True
True or false: NACLs only affect traffic between different subnets.
True
True or false: NACLs and Security Groups are typically used together.
True
True or false: In most designs, NACLs are used to deny traffic, and Security Groups are used to allow traffic.
True
How many NACLs can be associated with one vpc?
Only one NACL
At what OSI layer does security groups operate?
Layer 7
If you want to block a single client ip, which would work: NACL or Security Group?
NACL
If NACLs are attached to subnets, what are Security Groups attached to?
ENIs - elastic network interfaces
Security Groups are used to allow access to what? Give examples.
VPC based resources
- EC2 instances
- Lambda
- Variety other AWS services within a VPC
What are the two things that Security Groups can reference if permitting traffic?
1) CIDR, protocol, and ports
2) Security group ID
Can one security group reference another security group?
Yes, it uses the security group’s id.
True or false: Security groups in once vpc can reference another security in another vpc.
True
True or false: security groups block inbound traffic by default.
True
True or false: security groups block all outbound traffic by default.
False, all outbound traffic is permitted by default.
What is a Security Group attached to?
An ENI
When bringing up a secondary ENI on a VPC, how many Security Groups can be attached?
Only one can be attached to an ENI.
