VPC Security! it’s a must!

In this blog post we are going to take a look into Security Groups and Network Access Control List (NACL) in AWS. 

Also to understand what is the difference between them and how can we used them to increase our security in the cloud.

Security Groups

Before we going to talk on security group it’s important that you know how it’s looked like in AWS.

AWS Security groups

So what are security groups?!

  1. Control how traffic is allowed into or out of your EC2 Machine.
  2. Security groups are stateful (Return traffic is automatically allowed)
    • if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
  3. Can be attached to multiple instances
  4. Lockdown to a Region/VPC
  5. All inbound traffic is blocked by default
  6. All outbound traffic is authorised by default
  7. You can specify allow rules, but not deny rules.

You can also reference another security group instead of IP

Let’s take an example of that

 In this example we can see that EC2-1 and EC2-2 are allowed to send traffic to EC2-3.

Because EC2-3 have security group (named SG-200) with inbound rule that allowing access to any machine that have a security group (named SG-100) assigned to her.

Inbound EC2-3


SourceProtocolPort rangeDescription
The security group ID (sg-100)AllAllAllow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group.
Security group example

Now lets talked about Network Access Control List (NACL).

AWS NACL

Key Notes about NACL

  • Control traffic between different subnets in the same VPC
  • Stateless – We need to explicitly  open outbound traffic
  • Works at Subnet level – automatically applied to all instance
  • Contains both Allow and Deny rules
  • Rules are evaluated in the order of rule number 
  • Default NACL allows all inbound and outbound traffic
  • NACL are a great way of blocking a specific IP at the subnet level 
Inbound




Rule #TypeProtocolPort rangeSourceAllow/Deny
100All IPv4 trafficAllAll0.0.0.0/0ALLOW
*All IPv4 trafficAllAll0.0.0.0/0DENY
Outbound




Rule #TypeProtocolPort rangeDestinationAllow/Deny
100All IPv4 trafficAllAll0.0.0.0/0ALLOW
*All IPv4 trafficAllAll0.0.0.0/0DENY
NACL Example

Most important – by default subnets in the same VPC can communicate without any restrictions that is because NACL by default permits traffic inside the VPC.

It’s always recommended to use NACL to limit access between subnets.

Compare security groups and network ACLs

The following table summarizes the basic differences between security groups and network ACLs.

Security groupNetwork ACL
Operates at the instance levelOperates at the subnet level
Supports allow rules onlySupports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rulesIs stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow trafficWe process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later onAutomatically applies to all instances in the subnets that it’s associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive)
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

Author: Meni T.

IT Infrastructure Manager

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: