AWS Security Groups vs NACLs

Security Groups and NACLs are configured within your VPC as part of what AWS provides to tenants as a static firewall. They are adequate for public web servers where there are no security compliance requirements. Typically companies will also deploy Cisco ASA firewall virtual appliances to provide the same level of perimeter security as their private data centers.

Security Groups

AWS EC2 security group is a static virtual firewall that is associated with one or more EC2 instances within a VPC. They are provided by Amazon for EC2 instance level packet filtering. The security groups are comprised of multiple inbound and outbound permit rules assigned to an instance interface.

There is a maximum of five security groups per instance and 100 security groups per VPC supported. There is no support for deny rules and reverse direction traffic is automatically permitted (stateful) for a session.

Tenants can add multiple inbound and outbound rules that permit protocols such as HTTP, ICMP and SSH. The security group is associated with a network interface assigned to an EC2 instance when launched. Each rule is examined for a match before permitting or dropping packets.

The default security group permits all inbound and outbound traffic between all instances. Any EC2 instance not associated with a security group during launch is associated with the default security group. EC2 instances cannot communicate when a new security group replaces the default group unless rules are added to explicitly permit it. Any new security group is unconfigured and explicitly denies all inbound and outbound traffic.

Web Server Security Group Inbound Rules

The following example permits SSH (22) and HTTPS (443) from 200.200.1.1/32 source public address. That could be the public address of a connection from the enterprise data center. In addition HTTP and ICMP (Ping) are permitted from all source IP addresses (0.0.0.0/0).

The operational mode is stateful so any security group rules permitting an inbound session also permit outbound traffic for the same session by default.

AWS security group rules are comprised of source IP, protocol type and port range. You can add a description to the security group for troubleshooting.

  • protocol type = TCP, UDP, ICMP, All etc.
  • port number = single port or multiple (range) of application ports
  • source = individual IPv4 address, IPv6 address or destination security group

All EC2 instances associated with a security group are affected by any changes to the permit rules. There are separate tables within a security group for inbound and outbound rules. There is support for single source IP address with /32 subnet mask, CIDR block range, all source IP addresses (0.0.0.0/0) and a security group id. The tenant can deploy IPv6 addressing to a VPC however AWS security groups only support prefix-length of /128 for single IPv6 address.

Web Server Security Group Outbound Rules

AWS supports Linux-based and Windows-based AMI. The security group rules assigned to EC2 instances must be updated to enable inbound SSH (Linux), RDP (Windows), and ICMP access. That permits customers to access EC2 instances from on-premises. ICMP packets are enabled for routing management traffic and Ping command.

Network ACL (NACL)

This is an optional security feature available in addition to security groups for additional packet filtering. It is the second level of defense that supports allow and deny rules for subnets. Rules are applied to packets in a numbered order for matching purposes.

Network ACL Assigned to Private Subnet 10.0.1.0/24

Network ACL is a stateless security service that is configured and assigned to a VPC subnet. The return traffic is inspected as well so it is stateless. There are allow and deny rules supported for inbound and outbound tables per ACL. In addition you can assign the same single ACL across multiple subnets however only one ACL per subnet.

Security Group vs Network ACL



Please share on social media