Amazon Web Services – Security Group vs NACL

Security groups and NACL both act as virtual firewalls which control the traffic from Inbound and Outbound of the resources. In this article, we will discuss the difference between Security Groups and NACL on Amazon Web Services.

What is a Security Group?

Security groups are virtual shields or protectors of EC2 instances. Unless specifically allowed By default all Inbound traffic is blocked whereas all Outbound traffic is allowed from the Instance.To know more about security group in AWS refer to What is Security Group in AWS and How To Create it?

We can edit inbound and outbound rules after creating the Security Group. Here is an example of default outbound rules which allow all traffic for all protocols.

It is virtual firewall for your EC2 instances to control incoming and outgoing traffic.

Security Group -Outbound

Here, we are adding inbound rules for protocol SSH with the default port of 22 for our current IP address here.

Security Group -Inbound

• In the security groups, we cannot block a specific IP address because it doesn’t have any DENY rule just like ALLOW rule. To achieve this we can make use of NACL.

Limitations of Security Groups

Here are some Limitations of Security Groups in AWS:

1. For a specific Security Group, the maximum Inbound and Outbound rules is 60
2. For any region the default limit of security groups is 2,500 and it can be extended 10,000 Maximum for any further extension we have to do service requests.
3. Cannot block the DNS traffic or the traffic from the route 53.
4. Cannot be applied to the multiple VPCs.

What is NACL?

Network Access Control List is also a virtual firewall for subnets, which controls the Inbound and Outbound traffic of Subnets. After the creation of VPC, a Default NACL will be associated and allow all Inbound and Outbound Traffic.

In NACL just like Security Groups, it contains set of Inbound and Outbound Rules , that can either allow or deny Traffic into or out of subnets. Since we have option to allow or deny traffic the order of the rules becomes important so that AWS uses a concept of rule number.

NACL- Inbound 

NACL- Outbound

Limitations of NACL

Below stated are the limitation of NACL:

1. The Maximum rules in a single NACL can have 100 rules.
2. The maximun NACLS per VPC is 200.
3. Subnet can have only one NACL at a time.
4. NACLs will not keep track of the network connections.

Combining Security Group and NACL

Security grop will allows you to maintain the inbound and out bound traffic of an EC2 instance. You can also restrict the traffic to certain ip address depending on the requirement. NACL is mainly used for controlling the traffic in the minute level like controling the traffic to subnets which are in deployed in vpc.

So know EC2 instance will be deployed in the VPC in a particular subnet so when there is incoming traffic first the traffic must be matched with NACL then it will be routed to security groups other wise the traffic will be denied at the subnet level traffic will not reach the application.

Additional Tips For Combining The Security Group and NACL

Here are some points for Combining the Security Group and NACL:

1. NACL is sutabile for inbound traffic and security group is suitable for outbound access.
2. Allow traffic from your side before allowing it from the internet
3. Try to use security group only only when you want to deny the traffic.

Difference between Security Group Vs NACL

The below table list the key difference between Security Groups and NACL:

FAQs On Security Group vs NACL

1. Is NACL Stateless Or Stateful?

NACL belongs to state less you have to create separate rules for both incoming and out going traffic.

2. What Is NACL In Cyber Security?

NACL controls incoming and outgoing traffic at the subnet level which is very help full to control the traffic based on source and destination IP addresses ports and protocols.