August 4, 2019

Difference between NACL and Security Groups in AWS

What are the differences between Security Groups and NACL in Amazon Web Services ?


Security Groups (SG)
Security groups, act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.

Security groups can also be used by AWS services such as Amazon RDS, Amazon Redshift, Amazon EMR, and Amazon ElastiCache.

By default, Security Groups allow only outbound traffic and block all incoming traffic. To enable inbound traffic, we have to specify the protocol, port and source.

VPC is like a house and subnets are like rooms, security group is like (fire)wall.

Network Access Controls Lists (NACL)
Network access controls lists (ACLs) act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.

NACL is at subnet level.

In a VPC, the default NACL is set to allow all inbound and outbound traffic. If you deploy a custom NACL, then all inbound and outbound traffic is blocked.

Security Groups control traffic flow at the instance level whereas NACLs control traffic at the subnet level.

Security Groups can thus be used to enable traffic flow between different types of instances within a subnet itself which NACLs cannot control.

NACL and Security Groups work in collaboration with each other to offer a more complete security setup.


Differences between Security Groups and Network ACL

Security Groups  NACL
Security groups are stateful (changes applied to an incoming rule will be automatically applied to the outgoing rule) NACLs are stateless (changes applied to an incoming rule will not be applied to the outgoing rule)
By default, Security Groups allow only outbound traffic and block all incoming traffic By default, NACL is set to allow all inbound and outbound traffic
Security groups are tied to an instance Network ACLs are tied to the subnet
Firewall of EC2 Instances Firewall of Subnet
Security group support ALLOW rules only (by default all rules are denied) Network ACL support ALLOW and DENY rules
All rules in a security group are applied NACLs apply rules in number/priority order, from top to bottom
Applies to an instance only if specified the security group Automatically applies to all instances in the subnets it's associated with
Can not block specific IP address Can block specific IP address



Related AWS Articles:  AWS Certified Cloud Practitioner Practice Exam 2