This is the first article of a series that will discuss the security levels with AWS virtual private cloud (VPC).

We will discuss:

  • Security groups
  • Network access control List(ACL)
  • Comparison between security groups and network ACL

There are multiple layers within a VPC where security can be enforced. It can be very restrictive and the security measures can be applied at an instance level or it can be less restrictive and the security measures can be applied at a subnet level; thus the same security measures will be applied to all instances from that subnet.

VMware Training – Resources (Intense)

A security group controls the inbound and outbound traffic to and from the EC2 instance. An EC2 instance can be assigned to up to five security groups when it is launched. If no security groups are assigned when the EC2 instance is launched, then the default security group of the VPC is used.

Let’s discuss some basic concepts of security groups:

  • There can be no more than 500 security groups in a VPC.
  • Only allow rules can be specified.
  • The rules that control the inbound traffic are different from the rules that control the outbound traffic.
  • By default, the outbound rule allows all the traffic, but it can be changed to allow only specific outbound traffic.
  • Only destination ports can be filtered.
  • Response to allowed inbound traffic is allowed whether or not there is an outbound rule that allows the traffic.
  • Response to allowed outbound traffic is allowed whether or not there is an inbound rule that allows the traffic,
  • Two instances that have the same security group assigned cannot communicate with each other if there are no rules that allow the communication.
  • The security group at instance launch is associated with the primary network interface.

As mentioned, there is a default security group for each VPC. This is the security group to which each EC2 instance is associated if there is no security group specified at launch.

These are the inbound rules of a default security group:

As you can see, the source from which the traffic is allowed is the same as the security group ID. This means that the inbound traffic from the EC2 instances assigned to the same default security group is allowed. Keep in mind that this is not true if you are using a different security group for which, as mentioned above, you need to specifically allow the inbound traffic.

And these are the outbound rules of the default security group:

This means that all the outbound traffic is allowed.

As mentioned, the default security group rules can be changed and the default security group cannot be deleted.

The rules can allow access to CIDR ranges (it can be a host or a network) or to another security group in the VPC.

These are the rules parts:

  • For inbound rules, the source of the traffic (CIDR or security group) and the destination port/port range.
  • For outbound rules, the destination of the traffic (CIDR or security group) and the destination port/port range.
  • For all rules, any standard protocol with a protocol number and for some protocol, a subtype of the protocol can be specified.

Let’s move on and discuss basic concepts of network ACLs:

  • A network ACL has a numbered list of rules that are evaluated in order starting from the lowest numbered rule. When a match from the traffic is found, the evaluation of the network ACL stops.
  • There are inbound and outbound rules and can either allow or deny the traffic.
  • The network ACLs are not stateful as security groups. For each incoming/outgoing traffic, there should be a rule that allows the returning traffic.
  • The default network ACL allows all inbound and outbound traffic.
  • The custom network ACLs are closed, it is not allowing any traffic.
  • Every subnet is associated with a network ACL and by default if no user intervention is done, the subnet is associated with the default network ACL.

    Each rule of a network ACL has the following parts:

  • Rule number and, as mentioned, the network ACL is evaluated from the lowest numbered rule and the evaluation stops once a match is found.
  • For any protocol that has a standard number and for some protocol a subtype can be specified.
  • Destination port or port range.
  • DENY or ALLOW action for the traffic.

An inbound rule will match the source of the traffic (the CIDR range) and the outbound rule will match the destination of the traffic (the CIDR range).

This is the default network ACL.

The inbound rules allow all traffic:

And the outbound rules also allow all traffic:

This is a custom network ACL and, as mentioned, no traffic is allowed on inbound:

Nor on outbound:

Let’s sum up the differences between the security groups and network ACLs:

Security Group Network ACL
Acts as a firewall at instance level Acts as a firewall at subnet level
Supports only allow rules Supports both allow and deny rules
It is stateful It is stateless
All the rules are evaluated before a decision is taken The evaluation stops once a rule matches the traffic
It is applied only if someone specifies this during the instance launch or later It is automatically applied to all the instances from the subnet to which the network ACL is associated with

And we have reached the end of the introductory concepts about security groups and network ACLs.

Throughout this article, we saw the purpose of the security groups and network ACLs, where they are applied and what are the defaults. In the end of the article, we summarized the differences between them.

In the next part of the series, we will test the behavior of the security groups and network ACLs.

Meanwhile, you can check the reference section of the article to get more information about security groups and network ACLs and see how you can create them, modify them, change an instance’s security group, how to associate a subnet with a network ACL, and how to delete the security groups and network ACLs.