NACL and Security Groups

NACL and Security Groups

In this tutorial, we are going to explore about the NACL and Security Groups. Mostly we will learn about the network firewalls to secure and manage your network’s incoming and outgoing traffic at the instance and subnet levels.

In AWS, Network Access Control Lists (NACLs) and Security Groups are key mechanisms for securing your VPC and resources. Although they serve similar purposes, they operate at different layers and have distinct functionalities.

Network access control lists (NACLs) and security groups are types of firewalls that control the network traffic. Security groups are stateful firewalls that analyze everything in the data packets of the incoming traffic and maintain the state. We only need to configure rules for the incoming traffic, and the stateful firewall automatically configures the outgoing rules accordingly. The NACLs are stateless firewalls that check the source, destination, and other parameters/rules to allow or reject the traffic.

Security Groups

In the AWS environment, a security group is a VPC-based resource that works at the EC2 instance level. It validates the incoming traffic and allows only connection requests passed by the inbound rules. We specify a security group to secure our EC2 instance; if no security group is selected, EC2 uses the default security group of the VPC. The default security group has no inbound rules and allows all outbound traffic. 

The “Source” column tells about the incoming traffic source. The security group will automatically configure the outbound rule for this traffic.

NACLs

A network access control list (NACL) is a VPC-based firewall that works on the subnet level and controls the ingress and egress traffic. Because of its stateless nature, we need to take care of the outbound and inbound rules. Every inbound rule must have an outbound rule if we want the traffic to leave our network. In NACLs, each rule is assigned a rule number that is processed in ascending order. This means that only one rule is processed at a time. We don’t get charged for using NACLs.

Note: The default quota for NACLs per VPC is 200 and it can be expanded on demand.

Default NACL and custom NACL

AWS Region has a default VPC that has its default resources. Default VPC also comes with a default NACL associated with the default subnets. The default NACL gets attached automatically to every new subnet. We can use, modify, or create a new NACL per our requirements. If we create our VPC, it’ll also have a default network access control list attached to its subnets, allowing all the inbound and outbound traffic. 

If we create a custom NACL, it rejects all the inbound and outbound traffic and is not associated with any subnet. We’ll have to edit the rules to control traffic and associate it with the intended subnets.

NACL rule fields

There are six fields in rule table of an NACL. These six fields combined make one rule that filters the traffic. The table below shows these fields and their values for the default NACL.

There is always a default rule in every NACL with an asterisk. If no numbered rule matches the traffic, this rule will be executed.

Working with security groups and NACLs

Let’s try to fit the security group and network access control list in our real-world scenario. We have two EC2 instances deployed in private and public subnets. The backend of our application is deployed in a private subnet, whereas the frontend is in a public subnet and accessible over the internet. We have two security groups named SG_Private and SG_Public attached to their corresponding instances and allow communication between instances at port 3000. In a normal scenario, where the default NACL is in effect that allows all ingress and egress traffic, the connection between frontend and backend should be successful. But we’ll play a bit with the NACL to check the role of NACL in controlling the traffic. 

Facts from the given scenario

• The frontend and backend are served at port 3000. 
• SG_Public allows inbound traffic from the internet at port 3000 and outbound traffic for SG_Private.
• SG_Private allows inbound traffic from the SG_Public at port 3000 and outbound traffic for SG_Public.
• We are using the default NACL attached to the subnets, allowing all traffic both ways.

That’s all about the NACL and Security Groups. If you have any queries or feedback, please write us at contact@waytoeasylearn.com. Enjoy learning, Enjoy AWS Tutorials.!!