I have a small doubt. Why does AWS have two levels of firewall Nacl and security groups. While we see in GCP and Azure we are having only one level of firewall. Isn't only Nacl enough in AWS? Can anyone explain what can be the reason why AWS have two levels of firewall and what is the need for it?
Asked
Active
Viewed 170 times
-3
-
They have different use cases. – Marcin Sep 12 '20 at 10:34
1 Answers
1
There are a few differences between the both of them, although the reasoning why they are 2 separate resources is open to AWS opinion so cannot comment on that.
The security group is a firewall evaluated on a network interface level (ENI), this will be evaluated on the physical host before it is past to the virtualized resource. It is generally considered the simpler of the 2, but limited in functionality to simply allowing either inbound or outbound access (there is no way to explicitly deny traffic, traffic not covered under a security group rule will be denied by default).
The NACL is a firewall that takes place at a subnet level, this resource performs the evaluation before it touches the physical host your resources are located on. For this reason you cannot perform evaluations between network resources which are located in the same subnet (traffic is only evaluated as it leaves or enters a subnet).
One of the differentiations that make security groups useful is that in addition to allowing IP ranges you can also reference security groups and prefix lists as a source/destination for the rule.
In addition another key difference is that a security group is stateful (if traffic can speak one direction, it can speak in the returning direction), whereas for NACLs it is stateless which means traffic needs to be considered in both directions. For NACLs this will also include being aware of ephemeral ports.
In summary both serve a purpose, the security group allows evaluations for specific inbound traffic on the resource itself whereas the NACL helps to filter inbound and outbound traffic of the network. Combining both of these will really help to lockdown the network.
Chris Williams
- 32,215
- 4
- 30
- 68