Security Groups vs Network Access Control List


In this post, we will see the basic differences between Security Groups and Network Access Control List.


Security Groups
Network Access Control List
Instance Level 
Applies only to an instance if a security group is associated to it.

Subnet Level 
Applies to all instances created inside the subnet.
Allow rules only
 One can specifiy only allow rules in the security group. e.g. if your app server needs  to conect to RDA instace, you shall specify 3306 port for an app server IP.

Allow and deny rules
In NACL, one can specify the deny rules as well
Evaluate all rules before allowing traffic
Security group evaluate all rules before the traffic reaches the instance.

Rules are processed in numeric order
ACL evaluates the traffic in the numeric order and return when there is a match.
Return traffic is automatically allowed regardless of any rules
If you have inbound rule for a request to pass through the port 80, then whatever the response it may be, security group will not evaluate the outbound rules and let the response go out through the security group.
Return traffic must also be explicitly allowed by the rules
NACL requires to explicitly defines the out bound rule to pass through the return response.

Comments