Open in app

Sign in

Write

Sign in

AWS Security Groups VS NACL — What’s The Difference

Go Cloud Architects
4 min readDec 3, 2020

What is the Difference Between a NACL and Security Group on the AWS Cloud?

When we work with new cloud computing students on the AWS cloud, we find they often have substantial confusion on the differences between Network Access Control Lists (NACL) and Security groups. Therefore, we will clarify the differences in this blog post.

The Key Differences Between NACLs and Security Groups

Simply put, NACLs keep unwanted traffic out of the subnet, and security groups keep unwanted traffic out of an EC2 instance or AWS service. Which will you use in your architecture? The answer is probably both NACLs and security groups, but you need to know the fundamentals including when and how to apply these security features.

Only Allow Necessary Traffic into Your Network

Keeping unwanted traffic out of the network (subnet) is a key component to a full security posture. NACLs are a cost-effective method to keep unwanted traffic (hackers and others) out of the network. NACLs are similar to an access list on a router but are different than a firewall in that they are stateless.

Stateful firewalls monitor outgoing traffic and let return traffic back into the network. Since NACLs are stateless, meaning they don’t monitor traffic, NACLs have to be configured to allow inbound traffic and outbound traffic.

Here are Some Key Things to Know About NACLs

· NACLs are written in both inbound and outbound terms. Inbound rules determine what’s allowed into a subnet; outbound rules determine what traffic is permitted to leave the subnet.

· NACLs have an implicit deny, so it’s only necessary to permit desired traffic.

· You create rules to determine what traffic is allowed or denied.

· The rules you create must be written in a specific order.

· Rules are processed in order, which means if you explicitly deny something, it’s not possible to permit something that’s been previously denied.

· You control the order by attaching a number to the rule statement.

· Lower numbers in the rule statement are processed prior to higher numbers.

· NACLs have an implicit deny, so you must specify any traffic that you want to allow, or it will all be blocked by the NACL

· Any traffic that you wish to allow must be sequenced before any rule that denies the desired traffic.

· NACLs are stateless, so inbound rules and outbound rules need to match. If SSL is allowed in, then it must be allowed back to the requester.

NACL Rules Example

As we discussed the order of the rules of a NACL are critical. Below are two examples of NACLs, one written correctly and one written incorrectly.

Proper NACL Structure — Do This!

Proper technique that allows desired traffic:

Rule 100 — Inbound Allow TCP Port 80 Source 10.0.0.0/24

Rule 110 — Outbound Allow TCP Port 80 Source 10.0.0.0/24

This NACL will allow for HTTP (TCP port 80) to be allowed in and out of the subnet.

Improper NACL Structure — Don’t do this!

Rule 110 — Deny all traffic

Rule 110 — Inbound Allow TCP Port 80 Source 10.0.0.0/24

Rule 120 — Outbound Allow TCP Port 80 Source 10.0.0.0/24

Note that in the above example with improper technique, all traffic is blocked by the first rule in the NACL, therefore all traffic is blocked.

The diagram below shows how network ACLs keep unwanted traffic out of the subnet.

Keeping Unwanted Traffic Out of Your Instances

Security groups keep unwanted traffic out of your instances. You can think of a security group as a host/service-based firewall. Security groups are stateful, so they monitor traffic and automatically allow return traffic. Therefore, it is only necessary to permit inbound traffic, as outbound return traffic will be permitted.

Security groups have an implicit deny, so it’s only necessary to allow desired traffic. Security groups evaluate all rules prior to permitting or denying traffic, so the order of rules in a security group is not as critical as with NACLs. While its not necessary to create a deny statement, there may be times when you want to allow a subnet, but block a specific host and will use a deny statement.

The diagram below shows where security groups are applied.

Now you know they key differences between Network ACLs and Security Groups.

Summary

Network ACLs keep traffic out of the subnet and security groups keep traffic out of an instance.

If you enjoyed this content, please lets us know in the comments section below. Please forward to others who you believe would benefit from this information.

Get a FREE AWS Certified Solutions Architect Associate eBook from Go Cloud Architects by clicking on the link below:

https://www.gocloudarchitects.com/free-csa-a-ebook/

Download a FREE AWS Certified Solutions Architect Professional Practice Exam at the link below:

https://www.gocloudarchitects.com/free_exam/

We have new cloud computing videos every Wednesday on our YouTube channel.

https://www.youtube.com/c/GoCloudArchitects

Visit our website at www.gocloudarchitects.com

Cloud Computing
Cloudarchitects
AWS
Cloud
Awscsa

--

--

Go Cloud Architects

Written by Go Cloud Architects

81 Followers

Go Cloud Architects is a provider of cloud computing training. We make cloud computing simple so our clients can truly understand cloud computing.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams