In this post, we are gonna discuss what is NACL & Security Groups and the difference between them. Both may look somewhat similar, so it will easily confuse the beginners in AWS, so I will try to explain the terms as simple as possible. In order to understand the concept, you should know the basic concepts of a network like a subnet and IP address. You don’t need to be an expert in that just knowing what it is, is enough.
A Security Group (SG) acts as a virtual firewall for your instances to control incoming and outgoing traffic.
A Network Access Control List (NACL) acts as a firewall for controlling traffic in and out of one or more subnets.
Security groups are tied to an instance whereas Network ACLs are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow the rules of NACL. This means any instances within the subnet group gets the rule applied. So, it is like having two-layer of security for an instance, one at the subnet level and the other at the instance level.
The difference between Security Group and NACL is that,
Security Group => Stateful
NACL => Stateless
ok, wait… what is stateful and stateless?
Security Group is Stateful: Any changes applied to an incoming rule will be automatically applied to the outgoing rule. i.e, Traffic generated in response to allowed inbound traffic is allowed to flow out, regardless of outbound rules.
NACL is Stateless: Any changes applied to an incoming rule will not be applied to the outgoing rule. i.e If you allow incoming traffic, you would also need to apply the rule for outgoing traffic.
Important Points
- Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.
- Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.
- Subnet can have only one NACL, whereas Instance can have multiple Security groups.
- Security Group: All the rules are evaluated before deciding whether to allow the traffic.
- NACL: Rules are evaluated in order, starting from the lowest number.
Summary
In layman’s terms, the Security group is the firewall of Instances whereas NACL is the firewall of the Subnet.
Writer: Mounick
Shoot your questions in the comments section. I will try to reply as soon as possible
