This question is always been asked when you go for an interview for cloud security, cloud architect or cloud technologies. To understand different between "Network access control list (NACL)" and "Security Groups" lets first understand following terms in the reference of cloud.
- Virtual Machines
Virtual machine (VM) - In simple term, VM is virtual or digital form of physical computer. Virtual machine can do everything physical computer can do. It has same level of computing power, storage capacity and ability to connect to external systems. It also require similar maintenance effort which physical computer needs. eg: software upgrade, patching and security updates.
Virtual private cloud (VPC) - Let me try to put it in easy words, VPC is private cloud space in public cloud space. VPC can help to create subnets, create instances, run VM instances on those subnets, store data and do everything which users can do in public cloud. VPC contains scalability, availability similar to public cloud and privacy similar to private cloud.
Subnet - A network inside network called Subnet. Subnet is range of IP addresses within a network. It is like reservation of those IP address so not available for others in a network. Subnet makes routing more efficient as it does not need to travel unnecessary routes. Inside VPC these IP address are private IP range which is not accessible via internet directly.
Firewall - Firewall is network security component, which monitors your incoming and outgoing network traffic and allow or prevent data packets based on the security rules and business rules.
Security Group Vs Network ACL
Security group is a firewall applicable at Instance level and NACL is firewall applicable at VPC subnets level.
There are multiple categories in which security group and network ACL can be compared.
- Order of Defense
State - Stateful or Stateless
State is most important component while comparing security groups and network ACL.
Security groups are stateful means rule applied to incoming network request are by default applied to outgoing network request as well.
- "Block" rule applied to incoming request on port 1099 is by default "Block" to outgoing request on port 1098.
- "Allow" rule applied to incoming request on port 2222 is by default "Allow" to outgoing request on port 2222.
Network ACL are stateless which means rules applied to incoming request and outgoing request is separate. Rules applied to incoming request does not apply to outgoing request by default. If you like to apply same rule to incoming and outgoing request then you need to specify and apply respectively.
- "Block" rule applied to incoming request on port 8333 does not apply by default to outgoing request on port 8333.
- "Allow" rule applied to incoming request on port 9999 does not apply by default to outgoing request on port 9999.
Scope - Instance or Subnet
Security group scope is limited to an instance (eg: VM instance). It protects particular instance based on the rule configured. We can attach one security group to multiple instances (virtual machines). Virtual machine can have more than one security groups attached. When multiple security groups are attached to one instance there are higher chance of rules might be overlapping. For example, security group A opened port 80 to everyone. Meanwhile, security group B opened port 80 to one IP address. If you remove port 80 rules from security group A, security group B still has port 80 open, issues may occur. It’s easier to find these mistakes when there is a small number of instances or security groups. A larger number makes finding mistakes more difficult.
Network ACL's are applicable at the subnet level, so any instances within the subnet group gets the rule applied. A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic. A network ACL contains a numbered list of rules. We evaluate the rules in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL. The highest number that you can use for a rule is 32766. We recommend that you start by creating rules in increments (for example, increments of 10 or 100) so that you can insert new rules where you need to later on. One subnet can have only one NACL.
Rules - Allow or Deny
Security group support allow rules only (by default all rules are denied). e.g. You cannot deny a certain IP address from establishing a connection. All rules in a security group are applied. Security groups evaluate all the rules in them before allowing a traffic.
Network ACL support both allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection example: Block IP address 22.214.171.124 from establishing a connection to an instance. All rules in NACL are applied in their order. i.e rule with the lower number gets processed first.
Order of Defense
Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress network request.
Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress network request.