Difference between AWS Security Groups and NACL

Hi Techie,

Today we will discuss the most common topic of AWS i.e Security group and NACL. There is a common question in the interview is “What is the difference between Security Group and NACL?” So let’s discuss both topics in detail.

Basic Architecture of Security Group and NACL in AWS

Basic Architecture of Security Group and NACL in AWS

Security Group

Security Group is a stateful firewall for the EC2 instances to control inbound and outbound traffic. It acts like a virtual firewall that can be attached to the instance or instances.

Below are the basic attributes of security groups:

  1. For inbound and outbound traffic we can put separate rules.
  2. There are no inbound rules for the newly created security group. To allow communication from another host to your EC2 instance, you need to add them to the inbound rules of a security group.
  3. By default, all the outbound traffic is allowed in a newly created security group. However, you can remove this and set outbound rules as per your requirement.
  4. security group rules are always permissive i.e You can not specify deny rules, you need to always define allow rules.

How newly added security group looks like in AWS:

Default Inbound Rules For Security Group
Default Outbound Rule For Security Group

Security Group Inbound and Outbound Rule Fields:

Both the Inbound and Outbound rules have almost the same rule fields.

  1. Type: Type of traffic which can be SSH, SMTP, ICMP, etc. It also has a Custom Protocol option, which allows you to select other port range.
  2. Protocol: Same like type it could be autofill based on Type selection or can be specific custom.
  3. Port Range: You can specify a single port or a range of port e.g. 5001 – 6000
  4. Source (Inbound rule): It could be single IP, anywhere (0.0.0.0/0) or CIDR range.
  5. Destination (Outbound rule): It could be single IP, anywhere (0.0.0.0/0) or CIDR range.
  6. Description: This is an optional field but recommends adding a description that helps the team to understand the purpose of the rule.

Network Access Control List

NACL is a stateless virtual firewall that works at the subnet level. Everything both Inbound and Outbound traffic is allowed in default NACL. In NACL you need to specify explicitly what to block in Inbound and Outbound Rules.

A default NACL will be created when we create a new VPC and it allows ALL Inbound Traffic and Outbound Traffic. If we don’t associate a Subnet to a user-defined NACL then default NACL will be attached to that Subnet. A default NACL looks like this :

Default NACL Inbound Rules
Default NACL Outbound Rules

NACL Inbound and Outbound Rule Fields

  1. Rule Number: Rules are evaluated starting with the lowest numbered rule. If a rule matches, it gets executed without checking for any other higher-numbered rules.
  2. Type: Type of traffic which can be SSH, SMTP, ICMP, etc. It also has a Custom Protocol option, which allows you to select other port range.
  3. Protocol: Same like type it could be autofill based on Type selection or can be specific custom.
  4. Port Range: You can specify a single port or a range of port e.g. 5001 – 6000
  5. Source (Inbound rule): It could be single IP, anywhere (0.0.0.0/0) or CIDR range.
  6. Destination (Outbound rule): It could be single IP, anywhere (0.0.0.0/0) or CIDR range.
  7. Description: This is an optional field but recommends adding a description that helps the team to understand the purpose of the rule.
  8. Allow/Deny: Specifies whether to allow or deny traffic.

Now the question is “What is the difference between Security Group and NACL?”

Firewall behavior is the major feature that will make security groups different from NACL. A security group is stateful while NACL is Stateless.

Stateful: Security Group is called a Stateful Firewall because SG maintains the state of a connection that means if an instance sends a request, the response traffic from outside is allowed back irrespective of the inbound rules and vice versa.

Example:- Let suppose In the security group you have blocked all the inbound traffic and allows all the outbound traffic. Now I visit a website on my ec2 instance, the response from the WebServer back to my ec2 instance will be allowed even you have set no traffic for an inbound rule.

Security group achieves this by Connection Tracking. Security Groups use Connection Tracking to keep track of connection details that flows in and out of an ec2 instance, this information includes – IP address, Port number, and some other metadata.

Stateless: NACL does not maintain connections detail, which means it is stateless. if some traffic is allowed in NACL Inbound Rule, the response Outbound traffic is not allowed by default unless specified in the Outbound Rules.

Key Differences between Security Group and NACL :

Security GroupNACL
It works at instance level.It works at subnet level.
All inbound traffic blocked by default.All inbound and outbound traffic allows by default.
Only allow rule can be addAllow and deny both the rules can be added
StatefulStateless
Multiple SGs can be associated with an ec2 instanceOnly one NACL can be associated with a single subnet
Evaluates all Rules and finds the most permissive ruleEvaluates starting with the lowest numbered rule till a rule matches.

Leave a Comment