Menu
In the AWS documentation it says
Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
I don't understand how this behavior is regarded as stateful? How would a stateless situation proceed?
I suppose that the response traffic would depend on some type of rule, but how does this relate to state?
Thanks
896
AWS security groups are stateful, meaning you do not need to add rules for return. Therefore, any rule that allows traffic into an EC2 instance, will automatically allow responses to pass back out to the sender without an explicit rule in the Outbound rule set.
Security groups are stateful. For example, if you send a request from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules.
The key difference between stateful and stateless applications is that stateless applications don't “store” data whereas stateful applications require backing storage. Stateful applications like the Cassandra, MongoDB and mySQL databases all require some type of persistent storage that will survive service restarts.
Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
I went to a movie with my son. During the film, he needed to go to the restroom.
The staff member at the door let him leave the theater and allowed him to re-enter afterwards. This is an example of a stateful request -- he went out and was allowed back in. However, somebody who simply tried to get into the theater would be rejected.
Similarly, your computer at home is connected to a router. The router protects it from the evils of the Internet. Traffic can't come through your router to your computer. However, if you make a request to go to a website, that request goes out of your router and the response is allowed back in because it is stateful. That is, the router remembers that you made the request to that website and it permits the response to come back to your computer.
63
It simply means if you allow say outbound rule on particular port protocol ip address it will allow to get back. So whatever coms in comes out.
You can compare this with NACL as they are stateless so you need to specify inbound and outbound rules in order to allow requested traffic flow.
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
