AWS Security Group vs NACL

Written by Chetan Melhotra

AWS Cloud provides significant protection natively to build a networking stack.

There are two main Security components of securing your network within AWS Cloud

1. Security group
2. Network Access Control List (NACL)

When you compare a Security Group vs. NACL, both resource types act as a virtual firewall to protect your network, and they are fairly similar in general, there is a distinct difference in the use cases for each of these security features.

First of all, what do they have in common?

Security groups and NACLs both use sets of inbound and outbound rules to control traffic to and from resources in a VPC.

Security group and NACLs both are virtual firewall.

However, Security groups and NACLs operate at separate layers in the VPC, have slightly different default rules, and don’t handle response traffic the same way.

Now let’s talk about Security groups and key features:-

In the AWS cloud, a security group controls traffic to or from an instance. This can be either an EC2 instance, an ECS cluster, or an RDS database instance. The Security group follows the least privilege model. The Security group, by default, denies all the traffic, i.e., the Security group can have only “allow” rules.

Stateful or Stateless

Security groups are stateful. This means any changes that are applied to the incoming rule will also be automatically applied to the outgoing rule. For example, if you open port 80 for incoming traffic will automatically open the outgoing for port 80.

Allow or Deny Rules

Security group supports allow rules set. You cannot blacklist a certain IP address from establishing a connection with any instance within your security group.

Limits

An instance can have multiple security groups. By default, AWS Cloud will allow you to apply up to five security groups to a virtual network interface, the limit can be increased up to 16 after submitting a limit increase request.

You can have 60 inbound and 60 outbound rules per security group (making a total of 120 rules). This quota is enforced separately for IPv4 rules and IPv6 rules; for example, a security group can have 60 inbound rules for IPv4 traffic and 60 inbound rules for IPv6 traffic.

Network Access Control Lists (NACLS)

Network ACLs are applicable at the subnet level, so any instance in the subnet with an associated NACL will automatically follow the rules of NACL. Network ACL is the first layer of defense, whereas the Security group is the second layer of the defense for inbound/ingress traffic.

Stateful or Stateless

Network ACLs are stateless. Any changes made to an incoming rule will not be applied to the outgoing rule. i.e., If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

Allow or Deny Rules

Unlike a Security Group, NACLs support both allow and deny rules. Default NACL allows all inbound and outbound traffic. By deny rules, you could explicitly deny a certain IP address to establish a connection; e.g., to block a specific known malicious IP address from establishing a connection to an EC2 Instance.

Limits

A subnet can have only one NACL. However, you can associate one network ACL to one or more subnets within a VPC. By default, you can have up to 200 unique NACLs within a VPC, however, this is a soft limit that is adjustable.

Secondly, you can have 20 inbound and 20 outbound rules per NACL (for a total of 40 rules). IPv4 rules are enforced separately from IPv6 rules. A NACL, for example, may have 20 IPv4 rules and 20 IPv6 rules.