In AWS VPC (Virtual Private Cloud), we can control the inbound/outbound traffic at different levels. Following are 2 levels where we can control the traffic.
- Security Groups
- NACLs (Network Access Control Lists)
- Security Groups
- NACLs (Network Access Control Lists)
Comparison between Security Groups and NACLs:
Security Groups (SG)
|
NACLs
|
Acts as a firewall for associated Amazon EC2 instances
|
Acts as a firewall for associated subnets
|
Controls both inbound and outbound traffic at the instance level
|
Controls both inbound and outbound traffic at the subnet level
|
The default security group that’s created with VPC allows all inbound/outbound traffic by default.
|
The default NACL created with VPC allows all inbound and outbound traffic by default.
|
But when you create a new security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.
|
But when you create a new NACL, it denies all inbound and outbound traffic by default. You can then add rules to allow/deny the traffic
|
In both cases, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
| |
You can specify only allow rules, not deny rules.
|
Supports both allow rules and deny rules
|
You can specify separate rules for inbound and outbound traffic.
|
A NACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
|
Security groups are stateful - if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
|
NACLs are stateless. Return traffic must be explicitly allowed by rules.
|
All rules are evaluated before deciding whether to allow traffic
|
AWS process rules in number order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the NACL. If you allow inbound traffic from IP range 10.0.1.0/16 in Rule # 100, and you deny the traffic of same IP range in Rule # 200, the traffic from this IP will still be allowed.
|
Security groups can be assigned to an EC2 instance while it is created or can be attached at a later point.
|
Each subnet in your VPC must be associated with a NACL. If you don't explicitly associate a subnet with a NACL, the subnet is automatically associated with the default NACL
|
You can assign up to 5 Security groups to an EC2 instance. If you don’t specify any security group during launch time, the instance is automatically assigned to the default security group for the VPC.
|
You can associate a NACL with multiple subnets; however, a subnet can be associated with only one NACL at a time. When you associate a NACL with a subnet, the previous association is removed
|
