AWS Security Group vs NACL — Key Differences

There are significant protections provided to you natively when you are building your networking stack on AWS. This wide range of services and features can become difficult to manage, and becoming knowledgeable about what tools to use in which area can be challenging.

The two main security components which can be confused within VPC networking are the Security Group and the Network Access Control List (NACL). When you compare a Security Group vs NACL, you will find that although they are fairly similar in general, there is a distinct difference in the use cases for each of these security features.

In this blog post, we are going to explain the main differences between Security Group vs NACL and talk about the use cases and some best practices.

First of all, what do they have in common?

The main thing that is shared in common between a Security group vs a NACL is that they are both a firewall. So, what is a firewall?

Firewalls in computing monitor and control incoming and outgoing network traffic based on predetermined security rules. Firewalls provide a barrier between trusted and untrusted networks. The network layer which we are talking about in this instance is an Amazon Virtual Private Cloud — aka a VPC.

In the AWS cloud, VPCs are on-demand pools of shared resources, designed to provide a certain degree of isolation between different organizations and different teams within an account.

First, let’s talk about the particulars of a Security Group.

Security Group Key Features

Where do they live?

Security groups are tied to an instance. This can be either an EC2 instance, ECS cluster or an RDS database instance — providing routing rules and acting as a firewall for the resources contained within the security group. With a security group, you have to purposely assign a security group to the instances — if you don’t want them to use the default security group.

The default security group allows all traffic outbound by default, but no inbound traffic.

This means any instances within the subnet group gets the rule applied.

Stateful or Stateless

Security groups are stateful in nature. As a result, any changes applicable to an incoming rule will also be automatically applied to the outgoing rule in the same way. For example, allowing an incoming port 80 will automatically open the outgoing port 80 — without you having to explicitly direct traffic in the opposite direction.

Allow or Deny Rules

The only rule set that can be used in security groups is the Allow rule set. Thus, You cannot backlist a certain IP address from establishing a connection with any instances within your security group. This would have to be achieved using a different technology.

Limits

Instance can have multiple security groups. By default, AWS will let you apply up to five security groups to a virtual network interface, but it is possible to use up to 16 if you submit a limit increase request.

Additionally, you can have 60 inbound and 60 outbound rules per security group (for a total of 120 rules). IPv4 rules are enforced separately from IPv6 rules; a security group, for example, may have 60 IPv4 rules and 60 IPv6 rules.

Network Access Control Lists (NACLS)

Now let’s compare the Security Group vs NACLs using the same criteria.

Where do they live?

Network ACLs exist on an interact at the subnet level, so any instance in the subnet with an associated NACL will automatically follow the rules of the NACL.

Stateful or Stateless

Network ACLs are stateless. Consequently, any changes made to an incoming rule will not be reflected in an outgoing rule. For example, if you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

Allow or Deny Rules

Unlike a Security Group, NACLs support both allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection; e.g. to block a specific known malicious IP address from establishing a connection to an EC2 Instance.

Limits

Subnet can have only one NACL. However, you can associate one network ACL to one or more subnets within a VPC. By default, you can have up to 200 unique NACLs within a VPC, however this is a soft limit that is adjustable.

Secondly, you can have 20 inbound and 20 outbound rules per NACL (for a total of 40 rules). IPv4 rules are enforced separately from IPv6 rules. A NACL, for example, may have 20 IPv4 rules and 20 IPv6 rules.

We hope that you now more keenly understand the difference between NACLs and security groups.

Become an AWS expert with our value-packed training

AWS Training — Our popular AWS training will maximize your chances of passing your AWS certification the first time.
Membership — For unlimited access to our entire cloud training catalog, enroll in our monthly or annual membership program.
Challenge Labs — Build hands-on cloud skills in a secure sandbox environment. Learn, build, test and fail forward without risking unexpected cloud bills.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neal Davis

Neal Davis

Founder of Digital Cloud Training, IT instructor and Cloud Solutions Architect with 20+ year of IT industry experience. Passionate about empowering his students