This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 27%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
I understand that-
1.In Azure, we apply NSG(Network Security Groups) at subnet or individual NIC level(VM) whereas in AWS these can only be applied at individual VM level.
NACL is applied at subnet level in AWS.
2.In Azure, we have a column for source and destination IP address(for each of inbound and outbound categories).
I infer that due to Security Groups being applied at VM level in AWS, we define only destination IP for outbound rules(src being the VM) and source IP for inbound rules(dst being the VM).
Further,even for NACL in AWS, for inbound rule,only src IP can be defined .For outbound rule,only dst IP can be defined.
3.(AWS)Irrespective of inbound/outbound rules segregation, 'port' always refers to 'destination' side which listens on a specific port for traffic.
{This is usually the case with clients using a random port to connect to a server on a specific port like 80}
And unlike Azure, we cannot define both 'to' and 'from' ports while configuring inbound/outbound rules?
(in particular, we cannot define 'source' ports under either inbound/outbound section).
4.AWS defines only Allow rules whereas Azure has options for both allow and deny(security group).
Further,AWS has NACL which can contain both allow and deny statements.
5.Both AWS and Azure have 'stateful' concept, meaning an explicit rule for 'return' traffic response is not needed(define rules for only who gets to initiate the communication)—for security groups.
In AWS,we have NACL concept which is stateless,ie rules needed in both direction for communication to be successful.
Please correct me if I am missing something in my understanding.
Regards,
Aditya
Yes, your understanding is correct.
Point number 3, in the source port section, mostly ANY is given, but if you have a use case where your Application uses a range of Source port, you can apply ACL using the range as source port.
Hello!
Thanks for the response. Are you referring to Access Control Lists in AWS?
I only see NACL(Network ACL) which does not allow specifying port for the source of traffic(be it inbound or outbound rule).
Kind regards,
Aditya
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 96%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi @msrini-MSFT
Do you have the answer for @gargaditya-0330 's question?