Network ACLs & Security Group
2 min readSep 11, 2021
Network ACLs
- A Network ACLs (NACLs) is an optional layer of security for the VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
- It is at a Subnet level and has separate inbound and outbound rules, and each rule can either allow or deny traffic.
- Default ACL allows all inbound and outbound traffic.
- It is Stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa.
- NaCl is a great way of blocking a specific IP at the subnet level.
- Define NACL rules
- Rules have a number (1–32766) and higher precedence with a lower number.
- E.g. If you define #100 ALLOW and #200 DENY, IP will be allowed.
- The last rule is an asterisk (*) and denies a request in case of no rule match • AWS recommends adding rules by the increment of 10.
- Newly created ACL denies all inbound and outbound traffic.
- E.g. if you enable Inbound SSH on port 22 from the specific IP address, you would need to add an Outbound rule for the response as well.
Security Group
- Acts at an Instance level and not at the subnet level.
- Specifying only Allow rules, but not deny rules.
- It is Stateful — responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa.
- Allows adding or removing rules (authorizing or revoking access) for both Inbound (ingress) and Outbound (egress) traffic to the instance.
- Default Security Group allows no external inbound traffic but allows inbound traffic from instances with the same security group.
- Default Security Group allows all outbound traffic
- Rules with the most permissive rule taking precedence for e.g. if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1 and another rule that allows access to TCP port 22 from 0.0.0.0, everyone has access to TCP port 22.
Network ACLs & Security Group Incoming Request example
Network ACLs & Security Group Outgoing Request
