NACL & Security Group

This lecture provides an in-depth understanding of Security Groups and Network Access Control Lists (NACLs) in the context of Amazon Web Services (AWS), specifically how they work in relation to EC2 instances and subnets. Here's a structured summary of the key points covered:

Security Groups vs. Network ACLs (NACLs)

Security Groups:
- Operate at the instance level.
- Are stateful: if an inbound request is allowed, the outbound reply is automatically allowed, regardless of outbound rules.
- Support allow rules only.
- All rules are evaluated to decide whether to allow traffic.
Network ACLs (NACLs):
- Operate at the subnet level.
- Are stateless: inbound and outbound rules are evaluated separately for each session.
- Support both allow and deny rules, enabling them to block specific IP addresses.
- Rules are processed in order, with the lowest numbered rule having the highest priority. The first match (allow or deny) determines the action.
- Each subnet in a VPC has to be associated with a NACL, and each new subnet is automatically associated with the default NACL, which allows all inbound and outbound traffic.

Key Concepts Explained

Stateful vs. Stateless:
- Stateful (Security Groups): Automatically allows return traffic for allowed inbound requests without checking outbound rules.
- Stateless (NACLs): Requires explicit rules for both inbound and outbound traffic, regardless of the direction of the initial request.
Ephemeral Ports:
- Temporary ports used by clients to receive replies from servers.
- Essential for configuring NACLs to allow return traffic from services, as the client's return port is not predetermined and falls within a specific range depending on the OS.

Configuration Examples

Inbound Request Flow: Request → NACL → Subnet → Security Group → EC2 Instance.
Outbound Request Flow (considering statefulness and statelessness): EC2 Instance → Security Group (automatically allowed out) → NACL (rules evaluated).

Best Practices

NACLs:
- Ideal for broad network-level traffic control.
- Use incrementing rule numbers (e.g., by 100s) for easier management and insertion of new rules.
- Default NACLs allow all traffic; custom NACLs start with all traffic denied.
Security Groups:
- Best for fine-grained, instance-level traffic control.
- Only allow rules are possible, making them less suitable for blocking specific IP addresses.

Practical Applications

Blocking Specific IP Addresses: Achieved at the subnet level with NACLs, not possible with Security Groups.
Ephemeral Ports Configuration: Essential for allowing return traffic through NACLs, with port ranges depending on the client's operating system.

This lecture emphasized the importance of understanding the differences between Security Groups and NACLs for effective AWS network security and traffic management.

Here's a comparison table that outlines the main differences between Network Access Control Lists (NACLs) and Security Groups in AWS:

Feature	NACLs	Security Groups
Level of Operation	Operates at the subnet level	Operates at the instance level
Statefulness	Stateless: separate rules for inbound and outbound traffic	Stateful: automatically allows return traffic for allowed inbound requests
Rule Types	Supports both allow and deny rules	Supports allow rules only
Rule Evaluation	Processes rules in numerical order; the first match decides	Evaluates all rules before deciding to allow traffic
Traffic Control	Controls traffic to and from subnets	Controls traffic to and from EC2 instances
Default Behavior	By default, denies all inbound and allows all outbound traffic (custom NACLs)	By default, allows all outbound and denies all inbound traffic
Association	Automatically associated with a subnet, one per subnet	Manually associated with EC2 instances, can be assigned to multiple instances
Use Case	Ideal for broad network-level traffic control, such as blocking specific IP addresses	Best for fine-grained, instance-level traffic control
Ephemeral Ports	Must explicitly allow ephemeral ports for outbound/inbound responses	Automatically handles ephemeral ports due to statefulness