AWS Vpc Security Group Vs Nacls Certification Key Topics

AWS VPC Security Overview

  • In a VPC, both Security Groups and Network ACLs (NACLS) together help to build a layered network defense.
  • Security groups - Act as a firewall for associated Amazon instances, controlling both inbound and outbound traffic at the instance level
  • Network access control lists (NACLs) - Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level

Security Groups vs NACLs

Security Groups

  • Acts at an Instance level and not at the subnet level.
  • Each instance within a subnet can be assigned a different set of Security groups
  • An instance can be assigned 5 security groups with each security group having 50 rules
  • Security groups allows you to add or remove rules (authorizing or revoking access) for both Inbound (ingress) and Outbound (egress) traffic to the instance
    • Default Security group allows no external inbound traffic but allows inbound traffic from instances with the same security group
    • Default Security group allows all outbound traffic
    • New Security groups start with only an outbound rule that allows all traffic to leave the instances
  • Security groups can specify only Allow rules, but not deny rules
  • Security groups can grant access to a specific CIDR range, or to another security group in the VPC or in a peer VPC (requires a VPC peering connection)
  • Security groups are evaluated as a Whole or Cumulative bunch of rules with the most permissive rule taking precedence. For e.g. if you have a rule that allows access to TCP port 22 (SSH) from IP address and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22.
  • Security groups are Stateful - responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa. Hence an Outbound rule for the response is not needed
  • Security groups are associated with ENI (network interfaces).
  • Security groups associated with the instance can be changed, which changes the security groups associated with the primary network interface (eth0) and the changes would be applicable immediately to all the instances associated with the Security group

Connection Tracking

  • As Security groups are Stateful and they use Connection tracking to track information about traffic to and from the instance.
  • Responses to inbound traffic are allowed to flow out of the instance regardless of outbound security group rules, and vice versa.
  • Connection Tracking is maintained only if there is no explicit Outbound rule for an Inbound request (and vice versa)
  • However, if there is an explicit Outbound rule for an Inbound request, the response traffic is allowed on the basis of the Outbound rule and not on the Tracking information
  • Tracking flow e.g.
    • If an instance (host A) initiates traffic to host B and uses a protocol other than TCP, UDP, or ICMP, the instance's firewall only tracks the IP address & protocol number for the purpose of allowing response traffic from host B.
    • If host B initiates traffic to the instance in a separate request within 600 seconds of the original request or response, the instance accepts it regardless of inbound security group rules, because it's regarded as response traffic.
  • This can be controlled by modifying the security group's outbound rules to permit only certain types of outbound traffic. Alternatively, Network ACLs (NACLs) can be used for the subnet, network ACLs are stateless and therefore do not automatically allow response traffic.


  • A Network ACLs (NACLs) is an optional layer of security for the VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
  • NACLs are not for granular control and are assigned at a Subnet level and is applicable to all the instances in that Subnet
  • Network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic
    • Default ACL allows all inbound and outbound traffic.
    • Newly created ACL denies all inbound and outbound traffic
  • A Subnet can be assigned only 1 NACLs and if not associated explicitly would be associated implicitly with the default NACL
  • Network ACL is a numbered list of rules that are evaluated in order
    starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL
    for e.g. if you have a Rule No. 100 with Allow All and 110 with Deny All, the Allow All would take precedence and all the traffic will be allowed
  • Network ACLs are Stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa) for e.g. if you enable Inbound SSH on port 22 from the specific IP address, you would need to add a Outbound rule for the response as wellScreen Shot 2016-03-13 at 7.50.37 AM
Loading... Please wait
Buy me a coffeeBuy me a coffee