Security Group Vs NACL
We need to make our cloud network secure and in this article we will discuss methods to securing our network within Amazon Web Services. There are two methods to achieve it: Security Groups and Network Access Control Lists (NACLs).
They both are virtual firewall for your network and both act on different levels. Security groups acts at the instance level whereas NACLs act at the subnet level. Despite of both of them acting at different level they do share some similarities like, security groups and NACLs both use sets of inbound and outbound rules to control traffic to and from resources in a VPC.
What is a Security Group?
Security group acts as a virtual firewall for your EC2 instance controlling the incoming and outgoing traffic. Security groups act at the instance level. You can assign up to five security groups per instance.
As the security group function at instance level of a VPC, we can have each security group attached to one or more instances, even across subnets. Each instance needs to be attached to at least one security group.
When you create a VPC, AWS automatically creates a default security group for it. You can add and remove rules from a default security group, but you can’t delete the security group itself.
What is a NACL?
Network access control list is an optional layer of security that act at subnet level to control traffic to or from to a set of inbound and outbound rules.
As the NACL function at subnet level of a VPC, we can have a NACL to applied to one or more subnets, but each subnet needs to be associated with only one NACL.
Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
Before we go and see the differences between Security groups and NACLs, let’s first try to understand some basic concepts.
Stateful or Stateless
Security groups are stateful means any changes applied to incoming rule will be automatically applied to outgoing rule. For example, if you allow an incoming port 22, then you also have to add the outbound rule explicitly.
NACLs are stateless means any changes applied to incoming rule will not be applied to outgoing rule. For example, if you allow an incoming port 22, you would also need to apply the rule for outgoing traffic.
Allow or Deny Rules
Security group allow only allow rules and by default, all the rules are denied. You can’t specify deny rules for security groups.
Network ACL support allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection example: Block IP address 123.201.57.39 from establishing a connection to an EC2 Instance.
Rule order
In security group all the rules are evaluated before deciding whether to allow the traffic.
In NACL rules are evaluated in order starting from the lowest number.
So which on should we prefer to use? Security group or NACL?
There is a simple answer to this question that both security group and NACL can be used separately and together to secure your network. So configuring both of them effectively can make your network more secure and safe.
I hope you understand the difference between Security group and NACL very well now.
Happy Clouding!
