如何在通过 nat 网关连接到 Internet 的私有子网中配置 NACL?
[英]How to configure a NACL in a private subnet connected to internet via nat gateway?
问题描述
Do we need to open NACL for private subnet from both inbound and outbound, to the internet when my subnet is routed to NATgateway to access internet.
当我的子网路由到 NATgateway 以访问 Internet 时,我们是否需要为从入站和出站到 Internet 的私有子网打开 NACL。 If yes how secured it is.如果是,它的安全性如何。 The only restrictions for private subnet would be on the route table as NACL +security grp will be open.私有子网的唯一限制是在路由表上,因为 NACL +security grp 将打开。
1 个解决方案
解决方案1
0 2022-08-17 03:17:28
In general, you should never need to change the configuration of Network ACLs in a VPC.通常,您永远不需要更改 VPC 中的网络 ACL 的配置。
Traditional networking uses rules in Routers that control traffic between subnets.传统网络使用路由器中的规则来控制子网之间的流量。 However, AWS and other cloud services have Security Groups that allow controls to be placed on individual resources , which offers finer-grained security.但是,AWS 和其他云服务具有允许对单个资源进行控制的安全组,从而提供更细粒度的安全性。
The only situations you should need to modify Network ACLs is when intentionally locking down security, such as creating a DMZ .唯一需要修改网络 ACL 的情况是故意锁定安全性,例如创建DMZ 。
Configuring Network ACLs is also quite complex because they are stateless , so permissions need to be granted in both directions.配置网络 ACL 也相当复杂,因为它们是无状态的,因此需要双向授予权限。 Security Groups, in contrast, are stateful so (for example) communication can happen with only Inbound rules and no Outbound rules.相比之下,安全组是有状态的,因此(例如)可以仅使用入站规则而不使用出站规则进行通信。
Bottom line: It is best to learn your Network ACLs with their default "Allow All" configuration.底线:最好使用默认的“全部允许”配置来了解您的网络 ACL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.