Hello friends, in this article I will discuss the various difference between network access control list(NACL) and security group in AWS. Both of these are provided in the AWS network to prevent from unsolicited access from outside. The difference can be used to better understand these AWS network components. And a good number of questions are also asked in AWS associate certifications.
Lets discuss all the important points for Security group and network access control list one by one:
Security Group(SG) :
- SG is a virtual firewall controlling traffic to your instances. AWS allows you to control traffic in and out of your instance using this virtual firewall.
- SG allows you to control traffic based on port, protocol, and source/destination.
- SG has different capabilities based on whether they are associated with Amazon VPC or Amazon EC2 classic.
- EC2 classic security group: Control outgoing instance traffic.
- VPC security group: Control outgoing and incoming instance traffic.
- Each instance should have one SG but can have more.
- A SG is default deny, that is it doesn’t allow any traffic that is not explicitly allowed by a security rule.
- A security group is stateful firewall, i.e. an outgoing message is remembered so that the response is allowed through the SG without an explicit inbound rule being required.
- SG are applied at individual instance level, as opposed to traditional on premise firewall that protects at the perimeter.
- All inbound traffic is blocked by default.
- All outbound traffic is allowed by default.
- We can change the security group for an instance while it is running.
- Any changes to the security group are applied immediately.
- Security group rule attributes:
- Port: The port number affected by this rule.
- Protocol: The communications standard for the traffic affected by this rule.
- Source/Destination: Identifies the other end of communication, the source for incoming traffic rules, or the destination for outgoing traffic rule. The source/destination can be defined in two ways: CIDR block: an x.x.x.x/x style definition that defined a specific range of IP address or Security group: Includes and instance that is associated with the given security group. This helps prevent coupling security group rules with specific IP address.
Network Access control List (NACL):
- NACL are applied at the subnet level.
- An NACL can be associated to multiple subnets but a subnet can only have one NACL associated with it.
- Each subnet is associated with default NACL.
- For the default NACL all inbound and outbound rule is allowed
- For custom NACL all inbound and outbound traffic is denied.
- NACL are stateless. Responses allowed to inbound traffic are subject to the rules for outbound traffic and vice-versa.
- We can deny allow rules at instance level in NACL. There is more granular control in NACL while that is not the case in security group.
- The rules are evaluated sequentially in NACL. And then the end result is for a particular request in evaluated. For example, suppose if we have set a rule to deny incoming traffic for port 80 as rule # 1, and again we have set rule #100 to allow port 80. This particular NACL won’t allow incoming traffic from port 80, as it has encountered deny rule first.
- It is always recommended to number rule in 100’s while creating an NACL.
- Network ACLs do not filter traffic between instances in the same subnet.
I hope I have covered all the important difference between NACL and security group of AWS. Please feel free to add comments of you know any other differences.
Leave a Reply