AWS: Difference between Security Groups and Network Access Control List (NACL)

by | Jan 2, 2023 | Amazon Web Services, Security | 0 comments

Comparison: VPC Security Group vs NACL in AWS.

Security Groups and Network ACLs

TL;DR:

Security group is the firewall of EC2 Instances.
Network ACL is the firewall of the VPC Subnets.

Key Differences: Security group vs NACL

Scope: Subnet or Instance (Where to apply)

Security groups are tied to an instance whereas Network ACLs are tied to the subnet.

Network ACLs are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow rules of NACL. That’s not the case with security groups, security groups has to be assigned explicitly to the instance.
This means any instances within the subnet group gets the rule applied. With Security group, you have to manually assign a security group to the instances.

State: Stateful or Stateless

Security groups are stateful. This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.

Network ACLs are stateless. This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

Rules: Allow or Deny

Security group supports allow rules only (by default all rules are denied). e.g. You cannot deny a certain IP address from establishing a connection.

Network ACL supports allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection example: Block IP address 123.201.57.39 from establishing a connection to an EC2 Instance.

Rule process order

All rules in a security group are applied whereas rules are applied in their order (the rule with the lower number gets processed first) in Network ACL.

i.e. Security groups evaluate all the rules in them before allowing a traffic whereas NACLs do it in the number order, from top to bottom.

Defense order

Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.

Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.

Occurrence

Subnet can have only one NACL, whereas Instance can have multiple Security groups.

Rule Destination

Security group rule allow CIDR, IP, Security group as destination.

Network ACL rule only allow CIDR as destination.

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.