Nacls and security groups are important topics for AWS certificate exams. If you are planning to take aws architect exams then this post is a good read for you. Through this blog post I will try to cover major differences between nacls and security groups.
Nacls (Network Access control lists):
- Nacls operate on subnet level layer. Its an optional security layer that acts as firewall on subnet to control traffic in or out of subnets.
- Each instance in a subnet is bound by a common nacl rules that are applicable to all instances in that subnet.
- Nacls has separate inbound and outbound rule. Each rule can either allow or deny traffic. Default rules allows all inbound and outbound traffic. A new ACL denies all inbound and outbound traffic.
- Nacls are stateless, rules applied for incoming has to be explicitly applied for outbound.
- Nacls rules are applied in order of lower to upper. If a same rule is applied twice the rule with less order number will be applied.
- You can say it is second level firewall which works after security group which comes as first level firewall.
- Security groups operates at instance level layer.
- Each instance in a security can be assigned different security groups. A single instance can be assigned 5 security groups and each security group can have 50 rules.
- Security group allows you to add or remove rules for both inbound and outbound traffic. Default security group allows outbound rules but does not allow all inbound rule. With security groups you can only allow rules but cannot deny.
- Security groups are stateful that means any incoming rule applied automatically gets applied for outbound. You do not need to explicitly allow.
- All rules specified in a security group are applied.
- Security group is first level firewall.