In this part, we will discuss Cloud Network Security methods that secure your AWS network. Security groups and Network Access Control Lists(NACLs) both resource is work as a virtual firewall to protect your network.
Security groups and NACLs operate at separate layers in the VPC. So, which is the best one to secure your network – Security groups or NACLs..?
Let’s discuss one by one!
A security group works as a virtual firewall for EC2 instances to control inbound or outbound traffic. When you create an instance in a VPC, you can assign up to 5 security groups to the instance. Security groups work at the instance level, not the subnet level.
When you create a VPC, AWS creates a default security group for this. You can edit rules from a default generate security group but you can’t delete the security group itself.
How AWS Security Groups work
AWS Security Groups help you protect your cloud environment by controlling traffic that will be allowed into your EC2 machine. With the help of a security group, you can ensure that all the traffic flows at the instance level is only through your established ports and protocols.
The rule of a security group that filters traffic is defined in inbound and outbound tables.AWS SGs are stateful,(you do not need to add rules for return). Therefore, any rule that allows traffic into your EC2 instance will significantly allow responses to pass back out to the provider without an explicit rule in the outbound ruleset.
To create a security group using the console
Open the Amazon VPC console
NACLs are stateless firewalls that work at the subnet Levels, meaning NACLs act like a Firewall to an entire subnet. A default NACL allows everything both inbound and outbound traffic.
How AWS NACLs work
NACLs function at the subnet level of a VPC, each NACL can be applied to one or more subnets, but each subnet is required to be associated with one and only one NACL. When you make a VPC AWS automatically creates a default NACL for this. You can add and remove rule from a default NACL, but you can’t delete the NACL itself.
The following are the basic thing that you need to know about NACLs.
You can remove or add rules from the default NACl, or create additional NACL for your VPC. When you add or remove rules from an NACL, the changes are automatically applied to the subnets that are associated with it.