Security group and network ACL in plain English

AWS VPC networking series (2)

In our previous post, we talked about several networking concepts in AWS VPC using a parking lot analogy. And in this post, I am going to keep using the concepts that could (theoretically 😎 ) exist in a parking lot to talk about the two important network security concept in VPC: security group and network ACL.

Security group is for securing specific instances

Imagine in our parking lot analogy, the parking spots all have their own doors. I have never visited such a parking lot, but I managed to found one below on Internet and can express my idea here.

(picture from Google: modern Swiss parking garage)

Security group is the gating/checking system at the door of this parking spot, parking garage

• When a car wanted to enter the parking spot, the checking system will check whether the car obeys all its rules:

  

  i.e., in the security group rule listed here, is the car coming from an allowed/listed place (source IP) for this specific visit (port)? — if it is not, it won’t allow the car coming in.

Network ACL is for securing the entrance / exit of the subnet

Imagine there is a check point at the entrance / exit of a parking lot, and network ACL is the rule that the check point personnel will be using to check the car in and out.

Any car passing the checkpoint must follow the rules defined in the network ACL.

One picture is worth of 1000 words, what is security group and what is network ACL?

Here is my analogy picture in the context of an (extended version of) large gated parking lot, which has been used in the last post. Please do read the previous post because I skipped some legends / text in the diagram below so that I can make enough space for today’s concept. And I here added the network ACL as the subnet checkpoint and security group as the parking spot’s door lock.

Security group is the door lock for a parking spot (an instance) and Network ACL is the checking point of a parking lot (a subnet)

And here is the real technical diagram explaining the difference between AWS security group and network ACL. Hopefully the above analogy and diagram made this diagram less intimidating, and if it achieved the goal, please give me a like ❤️ below 👇, thanks.

Network ACL and security group

In summary

In summary,

1. security group is to provide security mechanism at instance level — it’s like your door lock of a specific garage room (garage room is your instance in this analogy);

2. network ACL is to provide security mechanism at subnet level — it’s like the security check point of a specific parking lot (the specific parking lot is your subnet in this analogy)

In the next post, let’s talk about IGW and VGW in a daily driving analogy. (Please give me feedbacks 👇 so that I can make this series more helpful to non-networking folks to own their AWS backend design process.)