Restrict Traffic to Subnets in Your VPC | AWS Certified Advanced Networking - Specialty Exam | Amazon

Restrict Traffic to Subnets in Your VPC

Prev Question Next Question

Question

Which of the following can be used to restrict traffic to the subnets located in your VPC.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

The AWS documentation mentions the following.

AWS provides two features that you can use to increase security in your VPC: security groups andnetwork ACLs.

Security groups control inbound and outbound traffic for your instances, and network ACLs control inbound and outbound traffic for your subnets.

For more information on VPC's and subnets please see the below link:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

To restrict traffic to the subnets located in your VPC, you can use Network Access Control Lists (NACLs) and Subnet security groups.

Network Access Control Lists (NACLs) are stateless firewalls that control traffic entering or exiting a subnet. You can configure NACL rules to allow or deny traffic based on its source and destination IP address, port number, and protocol. NACLs apply at the subnet level and provide an additional layer of security to your VPC. However, keep in mind that NACLs are not as granular as security groups, and they do not provide application-level security.

Subnet security groups, on the other hand, are stateful firewalls that control traffic between instances in a subnet. You can define inbound and outbound rules to allow or deny traffic based on the source and destination security group, port number, and protocol. Subnet security groups provide more granular control over traffic than NACLs and allow you to restrict traffic to specific instances in a subnet.

Security groups are also an option, but they apply at the instance level, not the subnet level. You can use security groups to control traffic between instances within the same subnet or across different subnets. However, they do not provide as much control over traffic as NACLs or subnet security groups.

VPC Flow Logs are a monitoring feature that captures information about the IP traffic going to and from network interfaces in your VPC. They do not restrict traffic; instead, they help you troubleshoot connectivity issues, monitor network activity, and detect potential security threats.

In conclusion, to restrict traffic to the subnets located in your VPC, you should use Network Access Control Lists (NACLs) and Subnet security groups, both of which provide different levels of granularity and control over traffic.