In this blog post we are going to take a look into Security Groups and Network Access Control List (NACL) in AWS.
Also to understand what is the difference between them and how can we used them to increase our security in the cloud.

Security Groups
Before we going to talk on security group it’s important that you know how it’s looked like in AWS.

So what are security groups?!
- Control how traffic is allowed into or out of your EC2 Machine.
- Security groups are stateful (Return traffic is automatically allowed)
- if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
- Can be attached to multiple instances
- Lockdown to a Region/VPC
- All inbound traffic is blocked by default
- All outbound traffic is authorised by default
- You can specify allow rules, but not deny rules.
You can also reference another security group instead of IP
Let’s take an example of that
In this example we can see that EC2-1 and EC2-2 are allowed to send traffic to EC2-3.

Because EC2-3 have security group (named SG-200) with inbound rule that allowing access to any machine that have a security group (named SG-100) assigned to her.
Inbound EC2-3 | |||
Source | Protocol | Port range | Description |
The security group ID (sg-100) | All | All | Allow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. |
Now lets talked about Network Access Control List (NACL).

Key Notes about NACL
- Control traffic between different subnets in the same VPC
- Stateless – We need to explicitly open outbound traffic
- Works at Subnet level – automatically applied to all instance
- Contains both Allow and Deny rules
- Rules are evaluated in the order of rule number
- Default NACL allows all inbound and outbound traffic
- NACL are a great way of blocking a specific IP at the subnet level
Inbound | |||||
Rule # | Type | Protocol | Port range | Source | Allow/Deny |
100 | All IPv4 traffic | All | All | 0.0.0.0/0 | ALLOW |
* | All IPv4 traffic | All | All | 0.0.0.0/0 | DENY |
Outbound | |||||
Rule # | Type | Protocol | Port range | Destination | Allow/Deny |
100 | All IPv4 traffic | All | All | 0.0.0.0/0 | ALLOW |
* | All IPv4 traffic | All | All | 0.0.0.0/0 | DENY |
Most important – by default subnets in the same VPC can communicate without any restrictions that is because NACL by default permits traffic inside the VPC.
It’s always recommended to use NACL to limit access between subnets.

Compare security groups and network ACLs
The following table summarizes the basic differences between security groups and network ACLs.
Security group | Network ACL |
Operates at the instance level | Operates at the subnet level |
Supports allow rules only | Supports allow rules and deny rules |
Is stateful: Return traffic is automatically allowed, regardless of any rules | Is stateless: Return traffic must be explicitly allowed by rules |
We evaluate all rules before deciding whether to allow traffic | We process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic |
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on | Automatically applies to all instances in the subnets that it’s associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive) |