I have question regarding using security group vs network ACLs in serverless application hosted in specific VPC.
Here is use case:
- We have file AWS FIleTransfer server deployed in VPC with public endpoint.
- We want to limit access to file transfer server to specific list of IPs only. There are 500+ IPs.
- I am aware of differences between security groups and network ACLs but both are suitable in our use case but what best practice says in such scenarios?
Also, is there way to handle 500+ IPs in inbound rules which may grow in future?
Thank you for your help in advance.
You should use security groups instead of Network ACLs when possible. Network ACLs are generally only better when you need to have explicit deny rules for specific IPs. And even then, depending on what you are doing, it may be better to have those deny rules in a WAF instead of a Network ACL. Also, having to deal with ephemeral port rules in Network ACLs can lead to a lot of issues if you don't get that right, while Security Groups don't have that issue at all.
You can see the limits for both here. Network ACLs can only have a max of 40 rules, so that is definitely not going to work for you. You can have a maximum of 5 security groups attached to a network interface, and the total rules for all 5 security groups combined can be up to 1000 (after you request a limit increase).