AWS Security Groups and Network Access Control Lists (NACLs)
Key Differences and Scope of the Security Groups and NACL with Real time examples.
Security Groups VS NACL
Security Groups |
Scope: Associated with individual EC2 instances. |
Functionality: Control inbound and outbound traffic to and from specific instances. |
Rules: Stateful (return traffic is automatically allowed if the initial request was permitted). |
Default: Allow all traffic. |
Use Case: Primarily for controlling traffic at the instance level. |
NACL |
Scope: Associated with subnets. |
Functionality: Control traffic in and out of a subnet. |
Rules: Stateless (return traffic must be explicitly allowed). |
Default: Deny all traffic (except for ICMP traffic for certain types of messages). |
Use Case: For granular control over traffic at the subnet level, often used as a first line of defense. |
Key Differences | Security Group | NACL |
Scope | Instance Level | Subnet Level |
Rules | Stateful | Stateless |
Default | Allow all | Deny All |
Use Case | Instance-based traffic control | Subnet-based traffic control |
We will do some practical examples so we will get more visibility on these two services.
- Go to AWS console and check for VPC and create a VPC first ang select an option VPC and more.
- Then we will go with option VPC and more its creating resources like Subnets, Route tables and So on. It will give all in depth information about which resources has been created for you.
- Then we can go with the default option as per below:
- Now we have to create the EC2 instance because we have to place the EC2 instance in the public subnet of the VPC and will demonstrate security groups and NACL.
- Post that we have to edit the network configuration once we click on edit we have to select demo-vpc instead of default VPC & post that we can check the subnet. By default the EC2 instance should be in the private subnet but for this project we can select the demo-public- where your EC2 instance sits in the public subnet.
Select “Enable “ the Auto-assign public IP
& rest of the configuration would be fine then we can launch instance Post we Launch the instance
Once we created an instance we will install the python application on port 8000 and try to access an application. But it's blocked through the default security group because that default security group will not allow the traffic directly as you have to allow the traffic explicitly.
Go to the console and log into the instance with the .pem key.
Execute the following command to install python
Sudo apt update & Sudo apt install python3
With the following command python3 -m http.server 8000. Now the simple http server is running on port 8000. Normally if we open the instance on this IP address and access the port 8000 we should be able to access the port and python app.
We typed in the browser but unable to access the port 8000 with an instance ip address.
Then the first thing we have to check in the Security Group in the port should be allowed . We can check in their inbound rule only port 22 is allowed and that is necessary to log in into in the EC2 instance.
Then we can check NACL as well. And we found that configuration below.
So we can check that NACL is the first layer of defense in the entire subnet. We can see that this rule is only triggered if the above condition (100) would not meet. Order would go with the priority. Least number are here first if we can add 200 rule in the nacl it will start it from the least number only i.e.100 & end with * .
So as of now all traffic has been enabled so it's allowing traffic through the internet gateway and once NACL accepts and traffic is diverted to the route table. Then the Route table forwards the request to the EC2 instance. The Last layers of defense i.e. security group is blocking the request.
So we will go and unblocked it from the security group.
Then will go to the inbound rule and and add the port 8000
Once we open the port 8000 from the security group the application has been accessible on port 8000 through browser & Also we got an response & request output
But what would happen if being an devops engineer we have to deny any port from the NACL level.? With NACL we don't have to stick and check with individual instances like security groups; this is not a good practice.
Then we have to go NACL & go to inbound rules & click on Edit the inbound rules:
Then first remove the rule ;
Then click on the add new rule. & deny the traffic for the port 8000.
& click save changes.
& now try to access the application from the browser: The application has not been accessible.
So the traffic has been blocked for the entire subnet. So it's a power of the NACL.
Again let's try to edit the inbound traffic rules and will play around the rule number while configuring the rules.
What we have done if we set the rules 100 and allow all traffic and for the 200 rule we had deny the traffic on port 8000
So still we will be able to access our application on port 8000?
And yes we are able to access the application through port 8000 even though we have denied port 8000 in .NACL. Why ? because NACL follows a specific order . AWS always verified the first lowest number so here is the rule number is 100 and its act on prioritized with lowest number.
So we can do it in reverse order as well will see :
So above is the lowest number is 100 and it has been denied so AWS will go with the lowest number & first rule. So now we are not able to access the application on 8000 ports.
With the help of NACL we play around with IP addresses as well . In the real time world if we find IP’s would be suspicious then we can block the Ip address ranges.
Even if we allow the configurations in Security Group, NACL acts as a first layer of defense. So with the help of NACL we can overall block the configuration of the subnet level.
Thank You!! Keep Learning!!