Security Groups vs NACL - A Comparison - AWS Certification Cheat Sheet

Let’s compare Security Groups vs NACL from an AWS certification perspective. We will look at important certification questions regarding Security Groups and NACL.

You will learn

  • What is Security Groups
  • What is NACL?
  • What is difference between Security Groups and NACL?
  • When do you use Security Groups?
  • When do you use NACL?

AWS Certification Study Material and Notes - 25 PDF Cheat Sheets

Each cheat sheet contains:

  • FAQs and Tutorials with 5-20 slides
  • Study Material and Notes to quickly review and prepare for certification exam
  • Certification Exam Tips
  • Certification and Interview Scenario Questions

EC2 Security Groups

An EC2 Security Groups is Virtual firewall to control incoming and outgoing traffic to/from AWS resources (EC2 instances, databases etc). It Provides additional layer of security - Defense in Depth

How are Security Groups Rules evaluated?

Let’s consider the example below:

Here are few important things to remember:

  • Security groups are default deny. If there are no rules configured, no outbound/inbound traffic is allowed.
  • You can specify allow rules ONLY
  • You can configure separate rules for inbound and outbound traffic.

You can assign multiple (upto five) security groups to your EC2 instances.

You can add and delete security groups to EC2 instances at any time. Changes are immediately effective.

Traffic NOT explicitly allowed by Security Group will not reach the EC2 instance.

Security Groups are stateful:

  • If an outgoing request is allowed, the incoming response for it is automatically allowed.
  • If an incoming request is allowed, an outgoing response for it is automatically allowed

EC2 Security Group - Trivia

What if there are no security group rules configured for inbound and outbound?

  • Default DENY. No traffic is allowed in and out of EC2 instance.

Can I change security groups at runtime?

  • Yes. Changes are immediately effective.

Quick Review of Security Groups - Default Security Group

Direction Protocol Port Range Source/Destination
Inbound All All Security Group ID (sg-xyz)
Outbound All All

Default security group is created when you create a VPC. A default security group:

  • Allows all outbound traffic
  • Allows communication between resources assigned with the default security group
  • Denies all other inbound traffic (other than resources with the default security group)
  • Can be edited but not be deleted

EC2 instances, by default, are assigned the default security group of the VPC. However, you can change it at any point - during launch or later.

Security Group has a many to many relationship with Resources (in same VPC).

New Security Groups

Direction Protocol Port Range Source/Destination
Outbound All All

You can create new security groups. By default:

  • There are no inbound rules
  • Denies all inbound traffic
  • Allows all outbound traffic

You can add, edit and delete outbound and inbound rules.

Security Groups - Important Ports

Service Port
SSH (Linux instances) 22
RDP (Remote Desktop - Windows) 3389
PostgreSQL 5432
Oracle 1521
MySQL/Aurora 3306
MSSQL 1433

Security Group Scenario Questions

Scenario Solution
Can source/destination of a security group be another security group? Yes. It can even be same security group.
A new security group is created and assigned to a database and an ec2 instance. Can these instances talk to each other? No. New security group does not allow any incoming traffic from same security group.
Two resources associated with same security group can talk with each other only if you configure rules allowing the traffic.
The default security group (unchanged) in the VPC is assigned to a database and an ec2 instance. Can these instances talk to each other? Yes. Default security group (by default) has a rule allowing traffic between resources with same security group.

Network Access Control List

Security groups control traffic to a specific resource in a subnet. How about stopping traffic from even entering the subnet?

NACL provides stateless firewall at subnet level.

Each subnet must be associated with a NACL.

Default NACL allows all inbound and outbound traffic. Custom created NACL denies all inbound and outbound traffic by default.

NACL Rules have a priority number. Lower number => Higher priority.

Security Group vs NACL

Feature Security Group NACL
Level Assigned to a specific instance(s)/resource(s) Configured for a subnet. Applies to traffic to all instances in a subnet.
Rules Allow rules only Both allow and deny rules
State Stateful. Return traffic is automatically allowed. Stateless. You should explicitly allow return traffic.
Evaluation Traffic allowed if there is a matching rule Rules are prioritized. Matching rule with highest priority wins.

Scenario: EC2 instance cannot be accessed from internet

How do you debug this? An EC2 instance cannot be accessed from internet.

Here are the things to check:

  • Does the EC2 instance have a public IP address or an Elastic IP address assigned?
  • Check the network access control list (ACL) for the subnet. Is inbound and outbound traffic allowed from your IP address to the port?
  • Check the route table for the subnet. Is there a route to the internet gateway?
  • Check your security group rules. Are you allowing inbound traffic from your IP address to the port?


Certification - Recommended Reading

Elastic Load Balancer (ELB) vs Network Load Balancer (NLB) - A Difference

Elastic Beanstalk vs Cloudformation vs Opswork vs Codedeploy - A Difference

EBS HDD Storages - A Difference

AWS Shield vs AWS WAF vs AWS Macie - Protect Resources and Data Cheat Sheet

Managing Multiple AWS Accounts - Organizations, Trusted Advisor and more Cheat Sheet

Amazon CloudWatch - Logs, Events, Alarms and Dashboards Cheat Sheet

AWS CloudTrail vs Config vs CloudWatch Cheat Sheet

EBS SSD Storages - A Difference

NAT Gateway vs Instance - A Comparison

AWS Security Groups and Network Access Control List - A Comparison Cheat Sheet

Free Videos - Get Started with AWS Certification

Amazing AWS Certification Courses

Get our amazing courses pursued by thousands of learners