AWS Security groups and Network Access Control Lists comes under AWS networking > VPC (Virtual Private Cloud).
They can be thought of as traffic controllers whether incoming or outgoing (inbound and outbound) respectively. Security groups are associated with instances, whereas, NACLs are tied to subnets – a range of IP addresses.
What’s the difference?
Well, Security groups are stateful firewalls, that is, they automatically allow return traffic. For example, you allow HTTPS traffic into an instance hence the return traffic is automatically allowed.
But for NACLs as they are stateless, you will have to explicitly define the return traffic rule.
NACLs work at subnet (networking) level and Security groups function at the instance level.
Security groups require only allow rules to be defined but NACLs requires you to explicitly define allow and deny rules.
Feeew!
Let’s get practical.
So NACLs are important because they are the first barrier to traffic before security groups.
Note: If a deny rule is created in a NACL then configuring security group will not reflect any changes.
An example of NACL inbound rules:
After playing with them it was discovered that NACLs work by rule order.
Suppose, rule 100 is defined with action “allow” then the instance is accessible and a second rule 90 (which is before 100 in count) is declared with the action “deny” then the rule which will apply is the deny one. Reason – it works by the order of the rules (shortest numbered rule will be preferred).
Hope this makes some sense!
Best practice: Do not create outbound rules in NACL unless direly needed, use security groups instead. Plus both security groups and NACLs can be used together.
Cheers!