In this read, we will take a good look at some of the differences between Security Groups (SG) and Network Access Control List (NACL) in AWS. Let’s get started.
|Security Groups (SG)||Network Access Control List (NACL)|
|Acts as a firewall for ec2 instances||Acts as a firewall for the associated subnets|
|Controls both inbound and outbound traffic at instance||Controls both inbound and outbound traffic at the subnet level|
|Secures virtual private cloud instances using only security groups||Acts as an additional layer of defense|
|Supports allow rules only||Supports both allow and deny rules|
|Stateful in nature (i.e. return traffic automatically allowed regardless of any rules)||Stateless in nature (i.e. return traffic must be explicitly allowed by the rules)|
|Evaluates all rules before deciding whether to allow traffic||Evaluates rules in number order when deciding whether to allow traffic (starting with the lowest numbered rule)|
|Applies only to the instance that is associated with it||Applies to all the instances in a subnet it is associated with|
|Can assign up to 5 security groups to an ec2 instance||A subnet can be associated with 1 NACL at a time|
|Security Groups are associated with the network interfaces||NACL is associated with multiple subnets|
|In default Security Group - the inbound rule is allowed for the same SG and the outbound rule is all allow||In default NACL - the inbound and outbound rule are all allowed|
|In custom Security Group - the inbound rule is denied and the outbound rule all allows||In custom NACL - the inbound and outbound rule is all denied|
Good luck and Happy learning!
Feel free to share it with your friends/colleagues.