Amazon Web Services – Security Group vs NACL
Security groups and NACL both act as virtual firewalls which control the traffic from Inbound and Outbound. In this article, we will discuss the difference between Security Groups and NACL on Amazon Web Services.
Security groups are virtual shields or protectors of EC2 instances. Unless specifically allowed By default all Inbound traffic is blocked whereas all Outbound traffic is allowed from the Instance.
We can edit inbound and outbound rules after creating the Security Group. Here is an example of default outbound rules which allow all traffic for all protocols.
Here, we are adding inbound rules for protocol SSH with the default port of 22 for our current IP address here.
- In the security groups, we cannot block a specific IP address because it doesn’t have any DENY rule just like ALLOW rule. To achieve this we can make use of NACL.
Limits of Security Groups :
- For a specific Security Group, the maximum Inbound and Outbound rules is 60
- For any region the default limit of security groups is 2,500 and it can be extended 10,000 Maximum for any further extension we have to do service requests.
Network Access Control List(NACL):
Network Access Control List is also a virtual firewall for subnets, which controls the Inbound and Outbound traffic of Subnets. After the creation of VPC, a Default NACL will be associated and allow all Inbound and Outbound Traffic.
In NACL just like Security Groups, it contains set of Inbound and Outbound Rules , that can either allow or deny Traffic into or out of subnets. Since we have option to allow or deny traffic the order of the rules becomes important so that AWS uses a concept of rule number.
Limit of NACL :
- The Maximum rules in a single NACL can have 20 rules.
Difference between Security Group Vs NACL:
the below table list the key difference between Security Groups and NACL:
Security Groups NACL Firewall or protection of Instances Firewall or Protection of the Subnet Security groups are stateful which means any changes applied to incoming rule is also applied to outgoing rule These are Stateless It is the first layer of defense or protection. This is the second layer of defense and an additional layer of protection. All the rules are applied to an Instance. In the case of NACL, the rules are applied in the order of their priority, wherein the priority is indicated by the rule number assigned. All the rules are evaluated before they allow a Traffic Rules are evaluated based on their priority