Security group and network ACL in plain English
AWS VPC networking series (2)
In our previous post, we talked about several networking concepts in AWS VPC using a parking lot analogy. And in this post, I am going to keep using the concepts that could (theoretically 😎 ) exist in a parking lot to talk about the two important network security concept in VPC: security group and network ACL.
Security group is for securing specific instances
Imagine in our parking lot analogy, the parking spots all have their own doors. I have never visited such a parking lot, but I managed to found one below on Internet and can express my idea here.
Security group is the gating/checking system at the door of this parking spot, parking garage
When a car wanted to enter the parking spot, the checking system will check whether the car obeys all its rules:
i.e., in the security group rule listed here, is the car coming from an allowed/listed place (source IP) for this specific visit (port)? — if it is not, it won’t allow the car coming in.
Network ACL is for securing the entrance / exit of the subnet
Imagine there is a check point at the entrance / exit of a parking lot, and network ACL is the rule that the check point personnel will be using to check the car in and out.
Any car passing the checkpoint must follow the rules defined in the network ACL.
One picture is worth of 1000 words, what is security group and what is network ACL?
Here is my analogy picture in the context of an (extended version of) large gated parking lot, which has been used in the last post. Please do read the previous post because I skipped some legends / text in the diagram below so that I can make enough space for today’s concept. And I here added the network ACL as the subnet checkpoint and security group as the parking spot’s door lock.
And here is the real technical diagram explaining the difference between AWS security group and network ACL. Hopefully the above analogy and diagram made this diagram less intimidating, and if it achieved the goal, please give me a like ❤️ below 👇, thanks.
In summary
In summary,
security group is to provide security mechanism at instance level — it’s like your door lock of a specific garage room (garage room is your instance in this analogy);
network ACL is to provide security mechanism at subnet level — it’s like the security check point of a specific parking lot (the specific parking lot is your subnet in this analogy)
In the next post, let’s talk about IGW and VGW in a daily driving analogy. (Please give me feedbacks 👇 so that I can make this series more helpful to non-networking folks to own their AWS backend design process.)
I notice that the security group does not have the option to deny traffic while NACL can do that, but technically any traffic not in the allowed rules is traffic to be denied from the sg point of view, are there any design tricks underneath it or it is what it is?