NACL and Security Groups

Learn about the network firewalls to secure and manage your network’s incoming and outgoing traffic at the instance and subnet levels.

We'll cover the following

Network access control lists (NACLs) and security groups are types of firewalls that control the network traffic. Security groups are stateful firewalls that analyze everything in the data packets of the incoming traffic and maintain the state. We only need to configure rules for the incoming traffic, and the stateful firewall automatically configures the outgoing rules accordingly. The NACLs are stateless firewalls that check the source, destination, and other parameters/rules to allow or reject the traffic.

Security groups 

In the AWS environment, a security group is a VPC-based resource that works at the EC2 instance level. It validates the incoming traffic and allows only connection requests passed by the inbound rules. We specify a security group to secure our EC2 instance; if no security group is selected, EC2 uses the default security group of the VPC. The default security group has no inbound rules and allows all outbound traffic. 

Press + to interact
Inbound rules table for a security group
Inbound rules table for a security group

The “Source” column tells about the incoming traffic source. The security group will automatically configure the outbound rule for this traffic.

NACLs

A network access control list (NACL) is a VPC-based firewall that works on the subnet level and controls the ingress and egress traffic. Because of its stateless nature, we need to take care of the outbound and inbound rules. Every inbound rule must have an outbound rule if we want the traffic to leave our network. In NACLs, each rule is assigned a rule number that is processed in ascending order. This means that only one rule is processed at a time. We don’t get charged for using NACLs.

Note: The default quota for NACLs per VPC is 200 and it can be expanded on demand.

NACL rules

Rules define the purpose of the NACL for subnet traffic. When NACL rules are modified, they automatically affect the traffic flow of the associated subnet. Let’s learn a few important pointers regarding rules:

  • Rules are evaluated according to their rule numbers in ascending order. When a traffic flow matches the rule, it starts processing, and no other rule will execute.

  • Giving rule numbers with some margin is recommended so that new rules can be added later. 

  • Separate rules are defined for allow and deny traffic.

  • We have control over filtering all traffic of a particular type or a custom range (IP addresses).

  • We can filter traffic based on traffic protocol and port range.

  • We can specify the IP range for the source (ingress traffic) and destination (egress traffic) to filter out traffic.

Note: The default limit of rules per NACL is 20. It is also adjustable.

Press + to interact
NACL attached to a subnet to filter internet traffic
NACL attached to a subnet to filter internet traffic

Default NACL and custom NACL

AWS Region has a default VPC that has its default resources. Default VPC also comes with a default NACL associated with the default subnets. The default NACL gets attached automatically to every new subnet. We can use, modify, or create a new NACL per our requirements. If we create our VPC, it’ll also have a default network access control list attached to its subnets, allowing all the inbound and outbound traffic. 

If we create a custom NACL, it rejects all the inbound and outbound traffic and is not associated with any subnet. We’ll have to edit the rules to control traffic and associate it with the intended subnets.

NACL rule fields

There are six fields in rule table of an NACL. These six fields combined make one rule that filters the traffic. The table below shows these fields and their values for the default NACL.

Rule number

Type

Protocol

Port range

Source

Allow/Deny

100

All traffic

All

All

0.0.0.0/0

Allow

*

All traffic

All

All

0.0.0.0/0

Deny

There is always a default rule in every NACL with an asterisk. If no numbered rule matches the traffic, this rule will be executed.

Working with security groups and NACLs

Let’s try to fit the security group and network access control list in our real-world scenario. We have two EC2 instances deployed in private and public subnets. The backend of our application is deployed in a private subnet, whereas the frontend is in a public subnet and accessible over the internet. We have two security groups named SG_Private and SG_Public attached to their corresponding instances and allow communication between instances at port 3000. In a normal scenario, where the default NACL is in effect that allows all ingress and egress traffic, the connection between frontend and backend should be successful. But we’ll play a bit with the NACL to check the role of NACL in controlling the traffic. 

Facts from the given scenario

  • The frontend and backend are served at port 3000

  • SG_Public allows inbound traffic from the internet at port 3000 and outbound traffic for SG_Private.

  • SG_Private allows inbound traffic from the SG_Public at port 3000 and outbound traffic for SG_Public.

  • We are using the default NACL attached to the subnets, allowing all traffic both ways.

Press + to interact
Default NACL allows all traffic
Default NACL allows all traffic
1 of 4

  • Slide 1: The frontend instance can communicate with the backend instance. Everything is working fine.

  • Slide 2: Created another NACL for the private subnet, which doesn’t allow ingress and egress traffic.

  • Slide 3: Add an inbound rule to the new NACL to allow traffic from the public subnet. The backend can still not be served because outgoing traffic is not allowed.

  • Slide 4: Add an outbound rule to the new NACL to allow traffic to the public subnet. The backend is served now.

We studied the security group and NACL rules and saw how they work together with an example from a real scenario.

Security group vs. NACL

The table below shows the differences between the security group and NACL:

Security group

NACL

Doesn’t allow denial rules. We can’t explicitly reject any traffic.

Allows allow and deny rules. We can decide which traffic to allow and which to reject.

Works at instance level

Works at subnet level

Every VPC has its default security group that allows all traffic

Every VPC has a default NACL. NACL of default VPC allows all ingress and egress traffic, but NACL of custom VPC denies all type of traffic.

One security group can be attached to multiple instances, but an instance can have multiple SGs

One NACL can be attached to multiple subnets, but a subnet can only be associated with one NACL at a time. This means we have a one-to-many relationship from NACL to subnets but a one-to-one relationship from subnet to NACL.

If no SG is selected at the time of instance creation, default SG is assigned automatically

In the default VPC, creating a new subnet automatically attaches the default NACL with the subnet.

Security groups are stateful firewalls

NACLs are stateless firewalls

All rules are evaluated

Rules are arraged according to rule numbers and are processed in order.

Traffic comes to a security group if and only if allowed by the NACL.

First line of defense. All the traffic must pass the NACL rules to be able to go to the instances

Get hands-on with 1300+ tech skills courses.