AWS VPC Security: Difference between Security Group and ACL (Security Group vs ACL)
Security Group and ACL(Access Control List) provide security to resources launched in a VPC. Below are the basic differences between Security Group and ACL:
Security Group
1. Acts as a virtual Firewall at instance level.
2. Security Group acts as first layer of defense in a VPC.
3. One instance can be associated with multiple security groups.
4. Whenever we create a VPC, a default Security Group is created.
5. If we don’t associate an instance with any security group, default security group is automatically associated with it which was created while creating a VPC.
6. Stateful: Return traffic is automatically allowed, regardless of any rules.
7. Supports allow rules only.
8. We evaluate all rules before deciding whether to allow traffic.
9. Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on.
10. Basic ports to remember:
NACL (Network Access Control List)
1. Acts as a virtual Firewall at subnet level.
2. NACL acts as second (optional) layer of defense (after Security Group) in VPC.
3. One subnet can be associated with only one NACL while one NACL can be associated with multiple subnets.
4. Whenever we create a VPC, a default NACL is created.
5. If we don’t associate a subnet with any NACL, default NACL is automatically associated with it which was created while creating a VPC.
6. Stateless: Return traffic must be explicitly allowed by rules.
7. Supports allow rules and deny rules.
8. We process rules in number order when deciding whether to allow traffic.
9. Automatically applies to all instances in the subnets it's associated with (therefore, you don't have to rely on users to specify the security group).
Security Group
1. Acts as a virtual Firewall at instance level.
2. Security Group acts as first layer of defense in a VPC.
3. One instance can be associated with multiple security groups.
4. Whenever we create a VPC, a default Security Group is created.
5. If we don’t associate an instance with any security group, default security group is automatically associated with it which was created while creating a VPC.
6. Stateful: Return traffic is automatically allowed, regardless of any rules.
7. Supports allow rules only.
8. We evaluate all rules before deciding whether to allow traffic.
9. Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on.
10. Basic ports to remember:
- SSH - 22 (Mainly for Linux Server)
- RDP - 3389 (Mainly for Windows Server)
- SMTP - 25 (Mail Server)
- HTTP - 80
- HTTPS - 443
- All traffic - 0 – 65535
NACL (Network Access Control List)
1. Acts as a virtual Firewall at subnet level.
2. NACL acts as second (optional) layer of defense (after Security Group) in VPC.
3. One subnet can be associated with only one NACL while one NACL can be associated with multiple subnets.
4. Whenever we create a VPC, a default NACL is created.
5. If we don’t associate a subnet with any NACL, default NACL is automatically associated with it which was created while creating a VPC.
6. Stateless: Return traffic must be explicitly allowed by rules.
7. Supports allow rules and deny rules.
8. We process rules in number order when deciding whether to allow traffic.
9. Automatically applies to all instances in the subnets it's associated with (therefore, you don't have to rely on users to specify the security group).