Knowing the difference between a security group and a network ACL in aws can help solve a lot of networking issues. Security groups summed up are the firewalls that encompass the EC2 Instances. Network ACLs protect the VPC Subnets. Let’s dive into key differences that make each unique.
What is a Security Group
An AWS security group functions as a virtual firewall, allowing and preventing traffic from reaching and leaving the resources with which it is linked. When you associate a security group with an EC2 instance, for example, it controls the instance’s inbound and outbound traffic.
Security groups have a select few characteristics that make them unique:
- You can only specify allow rules and not deny rules
- Inbound traffic is not allowed by default until you explicitly specify it
- All outbound traffic is allowed by default
- When multiple security groups a added to a resource all the rules are aggregated into one big allow rule
- Security group rule changes take effect immediately.
Security groups are stateful in which you do not need to allow return traffic for the traffic you allow inbound or outbound.
What is a Network Access Control List in AWS (NACL)
An optional layer of protection for your VPC is a network access control list (NACL), which works as a firewall for regulating traffic in and out of one or more subnets. To add an extra layer of security to your VPC, you can create network ACLs with rules identical to your security groups.
NACLs are stateless, meaning that traffic you allow inbound will not automatically be allowed back outbound. For this reason, you will see the default NACL allows everything inbound and outbound.
Here are some of the basic understandings of how a network access control list works in AWS:
- Your VPC comes with a default network ACL that you can change. It enables all inbound and outbound IPv4 traffic, as well as IPv6 traffic, by default.
- Custom network ACL can be created and associated with a subnet. Until you set rules, each custom network ACL prohibits all inbound and outgoing traffic.
- Assign network ACLs to subnets in your VPC. If you don’t explicitly associate a subnet with a network ACL, the default network ACL is used.
- Multiple subnets can be associated with a network ACL. A subnet, on the other hand, can only be associated with one network ACL at a time. The prior association is deleted when you pair a network ACL with a subnet.
- An ACL for a network is a numbered list of rules. To establish whether traffic is allowed in or out of any subnet associated with the network ACL, we analyze the rules in order, starting with the lowest numbered rule. 32766 is the greatest number you can use for a rule. We propose that you begin by defining rules in small increments (for example, 10 or 100) so that you can add new ones as needed later.
- Inbound and outbound rules are independent in a network ACL, and each rule can allow or refuse traffic.
- Because network ACLs are stateless, responses to approved inbound traffic are governed by the same rules that apply to outward traffic (and vice versa).
When to use a security group vs a NACL
Security groups applied to resources only allow you to set traffic that you want to allow inbound or outbound. Traffic cannot be denied using deny rules. Traffic will be able to access a subnet by the time it reaches the security group rule.
If you want to further restrict traffic into the network, a NACL will be you next best choice. Deny rules give you the flexibility to block malicious traffic at the subnet level before it reaches the EC2 instance. This extra layer of protection prevents accidently modifying a security group the wrong way and letting in bad actors.
A security group and a network acl in aws provide benefits. Using one or the other depends on your environment. Using both can help better your networks security by mirroring the rules in both tables. Read more here on other advanced uses of a security group and network ACL in AWs.