Security Group vs NACL(Network Access Control List) in AWS

Security Group vs NACL(Network Access Control List) in AWS

In this post, we will understand the difference between the AWS security group and NACL or network access control list in AWS. Amazon VPC provides features like security groups and network access control lists(NACL) to help you secure your VPC and the resources deployed in it.

Both of these features can control inbound and outbound traffic for your resources in VPC. You can define rules in the security group and NACL to specify what kind of traffic you want to allow and to which sources for example IP addresses.

Having said that, since both of these control inbound and outbound traffic, it becomes really confusing for us to choose the correct feature. That’s why, in this post, I will discuss the difference between security groups and NACL.

Stay tuned till the end of the post to understand the similarity and differences between these features.

Don’t want to miss any posts from us? join us on our Facebook group, and follow us on Facebook, Twitter, LinkedIn, and Instagram. You can also subscribe to our newsletter below to not miss any updates from us.

What is a Security Group?

A security group is a kind of virtual firewall that controls the incoming and outgoing traffic for the resource it is attached to in a virtual network or VPC.

For example- If you attach a security group to an EC2 instance, it decides what traffic is permitted to reach the EC2 instance (incoming traffic) and what traffic is allowed to leave the instance(outgoing traffic).

Security groups can be attached to various resources that you can launch in a virtual network. For Example – EC2 instance, Lambda, Elastic Load balancer etc.

Some important features of a security group:

You can attach a security group to resources in the VPC for which it is created. That means both the resource and security groups should belong to the same VPC.
You add rules for inbound and outbound traffic. Based on that traffic is allowed.
A newly created security group has no inbound rules hence all inbound traffic is denied until you specify explicitly.
Security groups are stateful which means if the request is allowed to reach an EC2 instance, the response is always allowed despite the outbound rule and vice versa.
By default, all outbound traffic is allowed.
You can associate more than one security group with a resource. In that case, rules from all the security groups are clubbed to determine whether traffic is allowed.

What is NACL(Network Access Control List)?

NACL or network access control list provides an additional layer of security. It is kind of a firewall that controls inbound or outbound traffic but at the subnet level.

In other words, it decides which traffic is allowed to reach your subnet(incoming traffic) and which traffic is allowed to leave your subnet(outgoing traffic).

Since NACL works at the subnet level, if some incoming traffic is denied by NACL, the traffic can never reach your EC2 instance in that subnet.

Some important features of NACL:

Your VPC automatically comes with a default network ACL. By default, it allows all inbound and outbound IPv4 traffic
You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
A subnet can have only one NACL at any point in time. When you create a subnet, the default NACL is associated with your subnet. However, you can create a custom NACL anytime and associate it with the subnet. In which case, the default one will get removed(remember only one NACL at a time for a subnet)
The default NACL allows all inbound and outbound traffic
You can create inbound and outbound rules in NACL that can either allow traffic or deny traffic.
Rules are numbered from smaller to bigger(from 1 to 32766) numbers and smaller number takes precedence. If the rule with small number matches, rules with a bigger number are not evaluated.
Let’s take a scenario- You have two rules numbered #10 and #100, the rule with #10 10 allows traffic and the rule with #100 denies it. So, overall traffic will be alloweded. Because #10 takes precedence and the rule with the #100 will not even be checked.
Since NACL supports allow and deny both rules, you can use NACL to block a specific IP at the subnet level

This is what the default NACL incoming rule looks like-

As we discussed, the lower number rule takes precedence and hence all incoming traffic is allowed. The ‘*’ in the rule number indicates that if there is no match, all request is denied.

Difference Between Security Group and NACL

Previously, we have seen that the security group and NACL work to provide security to your VPC and the resources in it.

As you see in the below diagram, If a request comes to a VPC, it first gets evaluated by NACL. If the NACL denies the request, the request gets denied straightaway and it never reaches your instance.

However, if your NACL allows the request, the request gets evaluated by your security group. If the security group allows the request, the request finally makes it to your EC2 instance.