Security Groups (SG’s) and Network Access Control Lists (NACL’s) are key components for managing traffic in AWS. Here's a concise breakdown:
Security Groups (SGs)
What are Security Groups?
Security Groups in AWS act as virtual firewalls for your instances to control inbound and outbound traffic. They are associated with Elastic Network Interfaces (ENIs) of instances and operate at the instance level.
Key Characteristics
Instance-Level Control:
Security groups are tied to individual instances or their network interfaces.
You can associate multiple security groups with a single instance.
Stateful:
Security groups are stateful, meaning that if you allow inbound traffic for a request, the corresponding outbound response is automatically allowed.
No need to explicitly allow return traffic.
Rules:
Only allow rules can be defined.
You cannot create explicit deny rules.
Rules are evaluated based on the combination of protocols, ports, and IP ranges.
There’s no rule prioritization; all rules are considered together.
Scope:
- Security groups are applied at the Elastic Network Interface (ENI) level, and by extension, to the EC2 instance to which the ENI is attached.
Default Behavior
- By default, a new security group denies all inbound traffic and allows all outbound traffic.
Common Use Cases
Allow SSH (port 22) traffic from specific IP addresses.
Enable HTTP/HTTPS (ports 80/443) access for web servers from the internet.
Restrict database access (e.g., port 3306 for MySQL) to specific instances or IPs.
Example
Suppose you have a web server:
Inbound Rules:
Allow HTTP (port 80) from
0.0.0.0/0(anywhere).Allow SSH (port 22) from
192.168.1.1/32(specific IP).
Outbound Rules:
- Allow all traffic to access external resources like APIs or databases.
Network Access Control Lists (NACLs)
What are NACLs?
NACLs are subnet-level firewalls that control traffic entering and leaving subnets within a VPC. They provide an additional layer of security by filtering traffic before it reaches associated resources.
Key Characteristics
Subnet-Level Control:
- NACLs are associated with subnets, and their rules apply to all resources within the subnet.
Stateless:
NACLs are stateless, meaning return traffic must be explicitly allowed via separate rules.
Inbound and outbound rules are managed independently.
Rules:
NACLs allow both allow and deny rules.
Each rule is assigned a rule number (1–32766), and rules are evaluated in ascending order.
The first rule that matches the traffic condition is applied, and no further rules are checked.
Scope:
- Operates at the subnet level and impacts all instances or resources within the subnet.
Default Behavior
The default NACL allows all inbound and outbound traffic.
Custom NACLs deny all inbound and outbound traffic unless specific rules are defined.
Common Use Cases
Block specific IP ranges at the subnet level (e.g., blacklisting malicious IPs).
Restrict inbound traffic to specific ports for resources in a subnet.
Allow outbound traffic only to specific destinations (e.g., internal APIs).
Example
Suppose you want to block SSH (port 22) from all IPs to a subnet:
Inbound Rules:
Deny SSH (port 22) from
0.0.0.0/0.Allow HTTP/HTTPS (ports 80/443) from
0.0.0.0/0.
Outbound Rules:
- Allow all traffic to external APIs or resources.
Security Groups
Instance-Level Firewall: Operates at the instance level.
Stateful: Automatically allows return traffic for allowed inbound requests.
Rules: Specify only allow rules for inbound and outbound traffic.
Scope: Applied directly to an instance (via its network interface).
Granularity: Rules are defined using protocols, ports, and IP ranges.
NACLs
Subnet-Level Firewall: Operates at the subnet level.
Stateless: Explicitly define both inbound and outbound rules.
Rules: Can define both allow and deny rules.
Scope: Applied to all resources within a subnet.
Rule Evaluation: Rules are processed in order (lowest to highest number).
Comparison of Security Groups and NACLs
| Feature | Security Groups | NACLs |
| Control Level | Instance-level | Subnet-level |
| State | Stateful | Stateless |
| Rules | Only allow | Allow and deny |
| Rule Priority | No order; all rules apply | Rules evaluated in order |
| Default Behaviour | Deny all inbound, allow all outbound | Deny all inbound and outbound (custom NACLs) |
| Best Use Case | Fine-grained instance control | Broad subnet-level control |
When to Use Security Groups vs. NACLs
Security Groups:
Use for precise, instance-level traffic control.
Ideal for managing access to specific services or applications.
NACLs:
Use for broad, subnet-level traffic filtering.
Ideal for implementing network-wide policies (e.g., blocking a malicious IP range).
By combining Security Groups and NACLs, you can create a layered security model that protects both your instances and your broader network architecture.
"Thank you for reading! I hope this blog sparked new ideas and insights. If you have questions or thoughts, drop a comment below. Until next time, keep learning and growing!"
Reach out to me at linkedin.com/in/sruthipalle
Happy Coding😊