Security Groups vs. Network ACLs

Lesson Objectives

By the end of this lesson, you will:

1. Understand the purpose of Security Groups and Network ACLs (Access Control Lists) in AWS networking.
2. Learn the key differences between Security Groups and Network ACLs.
3. Explore real-world use cases for both Security Groups and Network ACLs.
4. Configure and test Security Groups and Network ACLs in a hands-on lab.

---

Introduction: Securing Your AWS Resources

Imagine you’re setting up a new office. To protect your employees and assets, you install locks on individual rooms (fine-grained security) and set up security checkpoints at the building’s entrances (broad perimeter control). In AWS, Security Groups act like the locks, controlling access at the instance level, while Network ACLs (NACLs) act like the checkpoints, governing traffic at the subnet level.

Both Security Groups and NACLs are essential tools for protecting your AWS resources, but they operate differently and serve distinct purposes. Let’s explore their roles, differences, and configurations.

---

What are Security Groups?

A Security Group acts as a virtual firewall for your EC2 instances. It controls inbound and outbound traffic at the instance level based on rules you define.

Key Features:

1. Instance-Level Control: Security Groups are associated directly with EC2 instances.
2. Stateful: Responses to allowed inbound traffic are automatically permitted for outbound traffic.
3. Default Deny: By default, all inbound traffic is denied, and all outbound traffic is allowed.

Rules:

• Inbound Rules: Specify what traffic is allowed to reach the instance (e.g., SSH, HTTP).
• Outbound Rules: Specify what traffic the instance can send out.

Use Case:

• Protect web servers by allowing only HTTP/HTTPS traffic and SSH access.

---

What are Network ACLs?

A Network ACL (NACL) is a layer of security for your VPC subnets. It controls inbound and outbound traffic at the subnet level.

Key Features:

1. Subnet-Level Control: NACLs are associated with subnets, and all instances in the subnet inherit the NACL rules.
2. Stateless: Traffic responses must be explicitly allowed by both inbound and outbound rules.
3. Default Deny: By default, all inbound and outbound traffic is denied.

Rules:

• Rules are evaluated in numerical order (lowest to highest).
• Allow and Deny rules can coexist.

Use Case:

• Apply broader security controls for an entire subnet, such as allowing only trusted IP ranges.

---

Key Differences: Security Groups vs. Network ACLs

Feature	Security Groups	Network ACLs
Scope	Instance-level	Subnet-level
State	Stateful	Stateless
Rules	Only allow rules	Allow and deny rules
Default Rules	Inbound: Deny, Outbound: Allow	Inbound & Outbound: Deny
Evaluation	All rules are evaluated	Rules are evaluated in order
Use Case	Fine-grained access control	Broad subnet-level control

---

Step-by-Step Lab: Configuring Security Groups and Network ACLs

---

Scenario: Set up a web server in a public subnet and restrict access using Security Groups and NACLs.

---

Part 1: Configuring Security Groups

Step 1: Create a Security Group

1. Log in to AWS:
   • Go to the AWS Management Console.
2. Navigate to EC2:
   • In the search bar, type EC2 and click on the service.
3. Create Security Group:
   • In the left-hand menu, select Security Groups.
   • Click Create Security Group.
   • Configure:
     • Name: WebServerSG.
     • Inbound Rule:
       • Allow HTTP (port 80) from 0.0.0.0/0.
       • Allow SSH (port 22) from My IP.
     • Outbound Rule: Allow all traffic (default).
   • Click Create Security Group.

---

Step 2: Attach the Security Group to an Instance

1. Launch an EC2 instance in a public subnet.
2. During the configuration step, select the WebServerSG Security Group.
3. Test the configuration:
   • SSH into the instance using its public IP and verify connectivity.
   • Access the instance’s HTTP endpoint using a browser.

---

Part 2: Configuring Network ACLs

Step 1: Create a Network ACL

1. Navigate to VPC:
   • In the search bar, type VPC and click on the service.
2. Create Network ACL:
   • In the left-hand menu, click Network ACLs.
   • Click Create Network ACL.
   • Configure:
     • Name: WebSubnetNACL.
     • VPC: Select your VPC.
   • Click Create.

---

Step 2: Add Rules to the NACL

1. Edit Inbound Rules:
   • Allow HTTP (port 80) from 0.0.0.0/0.
   • Allow SSH (port 22) from My IP.
2. Edit Outbound Rules:
   • Allow all traffic.
3. Save Changes.

---

Step 3: Associate the NACL with a Subnet

1. Go to the Subnets section in the VPC dashboard.
2. Select your public subnet.
3. Click Edit Network ACL Association.
4. Choose WebSubnetNACL and save.

---

Part 3: Test the Configuration

1. Verify Security Group Rules:
   • Test SSH and HTTP connectivity to the EC2 instance.
2. Test NACL Rules:
   • Modify the NACL rules to block specific traffic (e.g., deny SSH access) and verify the impact.

---

Reflection: Using Security Groups and NACLs Together

• Security Groups: Provide fine-grained, instance-level control.
• NACLs: Act as an additional layer of protection at the subnet level.
• Use Security Groups for application-specific rules and NACLs for broader network policies.

This layered approach enhances the overall security of your AWS environment.

---

What’s Next?

In the next chapter, we’ll dive into IAM Fundamentals, exploring how to manage users, roles, and policies to control access to your AWS resources.

Your networking and security foundation is growing stronger—let’s keep building!