Security Groups (SGs) and Network Access Control Lists (NACLs) are key security features provided by Amazon Web Services (AWS) with their Virtual Private Cloud (VPC) service.
A Security Group functions as a virtual firewall for your instance, controlling both inbound and outbound traffic. Each instance launched within a VPC can have up to five security groups. Unlike NACLs, Security Groups operate at the instance level rather than the subnet level. If no specific group is designated during launch, the instance is automatically placed in the default VPC security group.
Security Groups allow the creation of rules to manage inbound and outbound traffic.
A Network Access Control List (NACL) serves as an optional security layer for your VPC, functioning as a firewall to control traffic in and out of one or more subnets. Unlike Security Groups, NACLs support both allow and deny rules, providing additional security flexibility at the subnet level.
Before diving into creating a Security Group or NACL, let’s explore the differences between the two.
- Scope: SG operates at the instance level, while NACL operates at the subnet level.
- Rule Types: SG supports only allow rules, whereas NACL supports both allow and deny rules.
- Rule Evaluation: SG evaluates all rules collectively to permit traffic, whereas NACL evaluates rules in numerical order.
- Assignment: SGs must be explicitly assigned to an instance, while NACLs are automatically applied to all instances in their associated subnets.
This guide will take you through the process of creating an SG and an NACL in AWS.
Pre-requisites
- AWS Account (
Create
if you don’t have one).
What we will do?
- Login to AWS.
- Create a Security Group.
- Create a Network Access Control List (NACL).
Login to AWS
- Click
here
to go to AWS Login Page.
Upon clicking the above link, the AWS login page appears. Enter your login credentials to proceed.
After successful login, the main console page showcasing all AWS services will be displayed.
Create a Security Group
To set up a Security Group, click on “Service” in the top menu bar, search for “VPC,” and select the result.
In the main VPC Dashboard, choose “Security Group” from the left panel to initiate the creation of your security group.
Click on “Create security group” to begin the creation process.
Assign a name and a descriptive label to the Security Group, helping to identify its purpose easily.
After creating the Security Group, access it by clicking the Security Group ID Link to modify Inbound and Outbound Rules.
In the SG interface, select “Inbound Rules” and click on “Edit Rules” to add new rules.
Configure rules by selecting the traffic type, port/port range, and source (My IP, Custom, or Anywhere). Include a description for clarity, then click “Save rules.”
Similarly, create outbound rules by navigating to the “Outbound Rules” tab and following the same steps.
Create a Network Access Control List
To create a Network Access Control List, select “Network ACLs” from the left panel.
Provide a name for the NACL, select the VPC it will apply to, and click on “Create.”
Upon creation, select your new NACL and navigate to the “Inbound Rules” tab.
Specify rule numbers to determine rule priority. Remember, lower numbers have higher priority. Set up the protocols and actions accordingly, and ensure careful configuration.
mirror these actions to establish outbound rules.
Conclusion
This guide covered the processes of creating a Security Group and a Network Access Control List in AWS. While the steps are straightforward, careful attention is needed when configuring rules, especially for NACLs.
FAQ
Q: Can you apply a Security Group to multiple instances?
A: Yes, a Security Group can be applied to multiple instances simultaneously.
Q: Do NACLs allow inbound and outbound traffic by default?
A: NACLs come with a default set of rules allowing all inbound and outbound traffic, but they can be modified as needed.
Q: How many rules can a Security Group have?
A: A Security Group can accommodate up to 60 rules as of the current AWS limits.
Q: Can I assign a Security Group to a VPC?
A: Security Groups are associated with VPCs, but they are applied to instances deployed within the VPC.