Security groups and NACL both act as virtual firewalls, which control the traffic from Inbound and Outbound of the resources. In this article, we will discuss the difference between Security Groups and NACL on Amazon Web Services.
Security Group
Security groups are virtual shields or protectors of EC2 instances. Unless specifically allowed By default all inbound traffic is blocked, whereas all outbound traffic is allowed from the instance. To know more about security groups in AWS, refer to What is security group in AWS and how to create it.
We can edit inbound and outbound rules after creating the Security Group. Here is an example of default outbound rules which allow all traffic for all protocols.
It is virtual firewall for your EC2 instances to control incoming and outgoing traffic.
Here, we are adding inbound rules for protocol SSH with the default port of 22 for our current IP address here.
Limitations of Security Groups
Here are some Limitations of Security Groups in AWS:
- For a specific Security Group, the maximum Inbound and Outbound rules is 60
- For any region the default limit of security groups is 2,500 and it can be extended 10,000 Maximum for any further extension we have to do service requests.
- Cannot be applied to the multiple VPCs.
NACL
Network Access Control List is also a virtual firewall for subnets, which controls the Inbound and Outbound traffic of Subnets. After the creation of VPC, a Default NACL will be associated and allow all Inbound and Outbound Traffic.
In NACL just like Security Groups, it contains set of Inbound and Outbound Rules , that can either allow or deny Traffic into or out of subnets. Since we have option to allow or deny traffic the order of the rules becomes important so that AWS uses a concept of rule number.
Limitations of NACL
Below stated are the limitation of NACL:
- The Maximum rules in a single NACL can have 100 rules.
- The maximum NACLS per VPC is 200.
- Subnet can have only one NACL at a time.
- NACLs will not keep track of the network connections.
Combining Security Group and NACL
Security group will allows you to maintain the inbound and out bound traffic of an EC2 instance. You can also restrict the traffic to certain ip address depending on the requirement. NACL is mainly used for controlling the traffic in the minute level like controlling the traffic to subnets which are in deployed in VPC.
So know EC2 instance will be deployed in the VPC in a particular subnet so when there is incoming traffic first the traffic must be matched with NACL then it will be routed to security groups other wise the traffic will be denied at the subnet level traffic will not reach the application.
Additional Tips For Combining The Security Group and NACL
Here are some points for Combining the Security Group and NACL:
- Use NACLs for broad subnet-level control: Deny or allow traffic to entire subnets, especially to block known malicious IPs.
- Use Security Groups for fine-grained instance-level control: Allow only the specific traffic that your instance needs (SSH, HTTP, application ports).
- Order matters for NACLs: Since NACLs are stateless, rules are evaluated by number priority. Plan rule numbers carefully.
Difference Between Security Group Vs NACL
The below table list the key difference between Security Groups and NACL:
| Security Groups | NACL |
|---|---|
| Firewall or protection of Instances | Firewall or Protection of the Subnet |
| Security groups are stateful which means any changes applied to incoming rule is also applied to outgoing rule | These are Stateless |
| It is the second layer of defense or protection. | This is the first layer of defense and an additional layer of protection. |
| All the rules are applied to an Instance. | In the case of NACL, the rules are applied in the order of their priority, wherein the priority is indicated by the rule number assigned. |
| All the rules are evaluated before they allow a Traffic | Rules are evaluated based on their priority |