Logo

dev-resources.site

for different kinds of informations.

Difference between AWS Security Groups and NACL

Published at
12/25/2024
Categories
aws
devops
security
networking
Author
cloudcuddler
Main Article
https://dev.to/cloudcuddler/difference-between-aws-security-groups-and-nacl-32f0
Categories
4 categories in total
aws
open
devops
open
security
open
networking
open
Author
12 person written this
cloudcuddler
open
Difference between AWS Security Groups and NACL

Hi Techie,

Today, we will discuss the most common topics in AWS: security groups and NACL. A common interview question is, β€œWhat is the difference between Security Groups and NACL?” So, let’s discuss both topics in detail.

Basic Architecture of Security Group and NACL in AWS

Image description

Security Group

Security Group is a stateful firewall for the EC2 instances to control inbound and outbound traffic. It acts like a virtual firewall that can be attached to the instance or instances.

Below are the basic attributes of security groups:

  1. For inbound and outbound traffic we can put separate rules.
  2. There are no inbound rules for the newly created security group. To allow communication from another host to your EC2 instance, you need to add them to the inbound rules of a security group.
  3. By default, all the outbound traffic is allowed in a newly created security group. However, you can remove this and set outbound rules as per your requirement.
  4. security group rules are always permissive i.e You can not specify deny rules, you need to always define allow rules.

How newly added security group looks like in AWS:

Image description

Image description

Security Group Inbound and Outbound Rule Fields:

Both the Inbound and Outbound rules have almost the same rule fields.

  1. **Type: **Type of traffic which can be SSH, SMTP, ICMP, etc. It also has a Custom Protocol option, which allows you to select other port range.
  2. Protocol: Same like type it could be autofill based on Type selection or can be specific custom.
  3. Port Range: You can specify a single port or a range of port e.g. 5001 – 6000
  4. Source (Inbound rule): It could be single IP, anywhere (0.0.0.0/0) or CIDR range.
  5. Destination (Outbound rule): It could be single IP, anywhere (0.0.0.0/0) or CIDR range.
  6. Description: This is an optional field but recommends adding a description that helps the team to understand the purpose of the rule.

Network Access Control List

NACL is a stateless virtual firewall that works at the subnet level. Everything both Inbound and Outbound traffic is allowed in default NACL. In NACL you need to specify explicitly what to block in Inbound and Outbound Rules.

A default NACL will be created when we create a new VPC and it allows ALL Inbound Traffic and Outbound Traffic. If we don’t associate a Subnet to a user-defined NACL then default NACL will be attached to that Subnet. A default NACL looks like this :

Image description

Image description

NACL Inbound and Outbound Rule Fields

  1. Rule Number: Rules are evaluated starting with the lowest numbered rule. If a rule matches, it gets executed without checking for any other higher-numbered rules.
  2. **Type: **Type of traffic which can be SSH, SMTP, ICMP, etc. It also has a Custom Protocol option, which allows you to select other port range.
  3. Protocol: Same like type it could be autofill based on Type selection or can be specific custom. Port Range: You can specify a single port or a range of port e.g. 5001 – 6000
  4. Source (Inbound rule): It could be single IP, anywhere (0.0.0.0/0) or CIDR range.
  5. Destination (Outbound rule): It could be single IP, anywhere (0.0.0.0/0) or CIDR range.
  6. Description: This is an optional field but recommends adding a description that helps the team to understand the purpose of the rule.
  7. Allow/Deny: Specifies whether to allow or deny traffic.

Now the question is β€œWhat is the difference between Security Group and NACL?”

Firewall behavior is the major feature that will make security groups different from NACL. A security group is stateful while NACL is Stateless.

Stateful: Security Group is called a Stateful Firewall because SG maintains the state of a connection that means if an instance sends a request, the response traffic from outside is allowed back irrespective of the inbound rules and vice versa.

Example:- Let suppose In the security group you have blocked all the inbound traffic and allows all the outbound traffic. Now I visit a website on my ec2 instance, the response from the WebServer back to my ec2 instance will be allowed even you have set no traffic for an inbound rule.

Security group achieves this by Connection Tracking. Security Groups use Connection Tracking to keep track of connection details that flows in and out of an ec2 instance, this information includes – IP address, Port number, and some other metadata.

Stateless: NACL does not maintain connections detail, which means it is stateless. if some traffic is allowed in NACL Inbound Rule, the response Outbound traffic is not allowed by default unless specified in the Outbound Rules.

Key Differences between Security Group and NACL :

Security Group NACL
It works at instance level. It works at subnet level.
All inbound traffic blocked by default. All inbound and outbound traffic allows by default.
Only allow rule can be add Allow and deny both the rules can be added
Stateful Stateless
Multiple SGs can be associated with an ec2 instance Only one NACL can be associated with a single subnet
Evaluates all Rules and finds the most permissive rule Evaluates starting with the lowest numbered rule till a rule matches.
networking Article's
30 articles in total
Favicon
Comparing VPN Performance: State-of-the-Art Solutions in Stable vs. Unreliable Networks
Favicon
VPN Peering "Region to Region "
Favicon
Introduction To Networking
Favicon
Demistfying AWS VPC Lattice
Favicon
Integrating OpenShift CoreDNS with Active Directory DNS
Favicon
The Speakeasy Door to Your Network - Port Knocking (2)
Favicon
The Speakeasy Door to Your Network - Port Knocking (1)
Favicon
6 Popular Types of Hyperconverged Infrastructure
Favicon
Learn a little about the patriarchal protocol of the internet, the father of tcp/ip!!
Favicon
OpenShift - Networking
Favicon
Master Virtual Networking as a Freelancer
Favicon
Guide to TCP/IP Ports and UDP Ports
Favicon
Important Port Numbers in Networking and Open-Source Projects
Favicon
10/10. Would Route Again!
Favicon
Optimize Your IT Infrastructure with Expert IT Consultation Services
Favicon
How Data Travels Through the Internet: Networking | OSI model
Favicon
Half-Duplex vs Full-Duplex: What are the Differences?
Favicon
About IRC - Internet Relay Chat
Favicon
Importance of Cisco in IT Networking in 2025
Favicon
Fixing OpenVPN Connection Issues in Ubuntu 24.04
Favicon
Master AWS Transit Gateway Management with Terraform: A Step-by-Step Guide
Favicon
IP Whitelisting, the silent killer
Favicon
5 Strategies for Successful Business Development
Favicon
Implementasi Infrastruktur Jaringan Virtual dengan Protokol OSPF
Favicon
How to setup an Azure Machine Learning Workspace securelyπŸ›‘οΈπŸ”’πŸ”‘
Favicon
5 Study Tips to Pass the CCNA Certification Exam
Favicon
GossipSampling - A Stand Alone Peer Sampling Service
Favicon
Deploying an Application Using CloudFormation with CDN Integration
Favicon
Difference between AWS Security Groups and NACL
Favicon
5G and Wi-Fi 6: The Future of Wireless Networking

Featured ones:

Favicon
Open
abubakersiddique761
Favicon
Open
0x3d_site
Favicon
Open
0x2e_tech
Favicon
Open
0x4c-quest
Favicon
Open
gittech