AWS Security Groups v/s NACLs


In this part, we will discuss Cloud Network Security methods that secure your AWS network. Security groups and Network Access Control Lists(NACLs) both resource is work as a virtual firewall to protect your network.
Security groups and NACLs operate at separate layers in the VPC. So, which is the best one to secure your network – Security groups or NACLs..?
Let’s discuss one by one!

Security Groups

A security group works as a virtual firewall for EC2 instances to control inbound or outbound traffic. When you create an instance in a VPC, you can assign up to 5 security groups to the instance. Security groups work at the instance level, not the subnet level.
When you create a VPC, AWS creates a default security group for this. You can edit rules from a default generate security group but you can’t delete the security group itself.

How AWS Security Groups work

AWS Security Groups help you protect your cloud environment by controlling traffic that will be allowed into your EC2 machine. With the help of a security group, you can ensure that all the traffic flows at the instance level is only through your established ports and protocols. 

Basic Things of Security Groups(SGs)

  • You can allow rules, but not deny rules of SGs.
  • You can specify separate rules for inbound and outbound traffic.
  • SGs are stateful (stateful means, security group keeps track of the state). 
  • Instances associated with SGs can’t talk to each other unless you add rules allowing the traffic.  
  • An SG can only be used in the VPC that you specify when creating the security group.
  • When you create an SGs, you must provide it with a name and a description. The following rule applies:
    • Name and Descriptions can be up to 255 characters in length.
    • Name and Descriptions are limited to the following characters: A-Z, a-z, 0-9, and special character.
    • A security group name can not start with sg- as these indicate default security group.
    • A security group name must be unique within VPC.

Security Group rules

The rule of a security group that filters traffic is defined in inbound and outbound tables.AWS SGs are stateful,(you do not need to add rules for return). Therefore, any rule that allows traffic into your EC2 instance will significantly allow responses to pass back out to the provider without an explicit rule in the outbound ruleset. 

  • Type: The dropdown list allows you to select common protocols like SSH, HTTP, HTTPS, or RDP. You can also choose custom protocols.
  • Protocol: This is typically grayed out, as most “type” choices cover it. However, if you make a custom rule, you can specify your protocol.
  • Port Range: This value is usually pre-filled, reflecting the default port or port range for your chosen protocol. 
  • Source: This can be a specific IP address, a network subnet range, or other AWS SGs. You can leave access open to the entire internet Anywhere (
  • Description: This field makes you add a description of the rule that has been added.

Create a Security Group

To create a security group using the console
Open the Amazon VPC console

  1. In the navigation pan, choose Security Groups.
  2. Choose to Create a Security Group.
  3. Enter the name for the security group (for example, my-security-group), and then provide a description.
  4. From VPC, select the ID of your VPC.
  5. (Optional) Add or remove a tag.
  6. Choose to Add new tag and do the following:
    • For Key, enter the key name.
    • For Value, enter the key value.
  7. Choose to Remove to the right of the tag’s Key and Value.
  8. Click on Create.​​​​​​​

      Network Access Control Lists (NACLs)

      NACLs are stateless firewalls that work at the subnet Levels, meaning NACLs act like a Firewall to an entire subnet. A default NACL allows everything both inbound and outbound traffic.

      How AWS NACLs work
      NACLs function at the subnet level of a VPC, each NACL can be applied to one or more subnets, but each subnet is required to be associated with one and only one NACL. When you make a VPC AWS automatically creates a default NACL for this. You can add and remove rule from a default NACL, but you can’t delete the NACL itself.

      Basic Things of NACL

      The following are the basic thing that you need to know about NACLs.

      • VPC automatically comes with a modifiable default NACL.
      • You can create a custom NACL and associate it with a subnet. 
      • Each custom NACL denies all inbound and outbound traffic until you add rules. 
      • The Subnet can be associated with only one NACLs at a time.
      • An NACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.

      NACL Rules

      You can remove or add rules from the default NACl, or create additional NACL for your VPC. When you add or remove rules from an NACL, the changes are automatically applied to the subnets that are associated with it.

      • Rule Number: The Rules are evaluated starting with the lowest numbered rule. if a rule matches it gets executed without checking for any other higher-numbered rule.   
      • Type: You can specify all the traffic or a custom range.
      • Protocol: You can specify any protocol that has a standard protocol number.
      • Port Range: You can specify the single port or a range of ports.
      • Source[Inbound Rules Only]: Can be a single IP address or an entire CIDR block. The destination can only be mentioned in the outbound rule.  
      • Destination[Outbound Rules only]: Can be a single IP address or an entire CIDR block. The source can only be mentioned in the inbound rule.
      • Allow/Deny: Specifies whether to allow or deny traffic. 

      Security Group and NACL Key Differences

      Security Groups(SGs)

      • Works at the instance level.
      • Implicit Deny on Inbound and Outbound Traffic.
      • Can only add an allow rule is denying is implicitly present.   
      • Stateful-response traffic is allowed without specifying.
      • Multiple SGs can be associated with a Single Instance.
      • Evaluates all Rules and Finds the most permissive rule.

      Network Access Control Lists (NACLs)

      • Works at subnet Level.
      • All Inbound and Outbound is allowed by default.
      • Can add both allow and deny rules explicitly.
      • Stateless-response traffic is not allowed unless specified.
      • Multiple NACls cannot be associated with a Single Subnet.
      • Evaluates starting with the lowest numbered rule till a rule matches.