Security Groups and Network Access Control List

Amazon Web Services (AWS) provides several tools to manage and control network traffic within your Virtual Private Cloud (VPC). In this blog post, we’ll take a closer look at two crucial components of AWS network security: Security Groups and Network Access Control Lists (NACLs).

What are Security Groups?

Security Groups act as virtual firewalls for your AWS instances, controlling both inbound and outbound traffic at the instance level. They are an integral part of securing your VPC, providing a simple and effective way to manage traffic.

Key Characteristics:

1. Instance-Level Control: Security Groups operate at the instance level, allowing you to define rules for specific instances.
2. Stateful Security: Security Groups are stateful, meaning that if you allow inbound traffic, the corresponding outbound traffic is automatically permitted. This simplifies rule configurations and ensures a seamless flow of communication.
3. Inbound and Outbound Rules: You can configure separate rules for inbound and outbound traffic, allowing granular control over communication.

By default all instances have a security group. On creation its the default security group associated with the VPC. An instance can have multiple Security groups.

What are NACLs?

Network Access Control Lists (NACLs) operate at the subnet level within your VPC, controlling traffic entering and leaving subnets. Unlike Security Groups, NACLs are stateless, requiring separate rules for inbound and outbound traffic.

Key Characteristics:

1. Subnet-Level Control: NACLs are associated with subnets, providing a broader scope of control compared to Security Groups.
2. Stateless Nature: NACLs are stateless, meaning you need to define separate rules for inbound and outbound traffic. Unlike Security Groups, they don’t automatically allow corresponding outbound traffic. A huge part of this is probably having to allow outbound from all the ephemeral ports. Ephemeral ports are typically used as source ports for outbound connections from your instances. When your instances initiate outbound connections, the source port is often dynamically chosen from the ephemeral port range.
3. Rule Order Matters: Rules are evaluated based on their order, and the first rule that matches the traffic is applied. This sequential evaluation allows for precise control over traffic.

By default all subnets have a NACL . On creation its the default NACL associated with the VPC. However a subnet can have only one NACL at a time.

Key Differences

One important factor to note here is there no deny in Security groups. When you state lets say you allowed public access to your instance however you have a list of hacker IP’s with you there is no way for you to limit or deny their access using Security groups. Its this situation that you leverage the deny option in NACL.

Remember NACL and Security groups work hand in hand.