Difference between ACL and SG

What is the difference between ACL and SG? If both are firewalls, can one of them not serve the puporse of alllowing any particular protocol? Why do I allow someone to at the subnet level and deny at service level?
  • post-author-pic
    Tia W
    12-06-2018

    Hi  @bcagrawal   Security groups apply at the instance level.  So you can have a subnet with multiple instances and each instance can have a different security group with different ports allowed.  the NACL applies at the subnet level.  So you would have to allow all ports necessary for all of the instances within a subnet, but you can then allow only the specific ports necessary for each instance by assigning different security groups to instances that need different traffic allowed.


    Hopefully that clarifies.  Please let us know if you have any more questions.

  • post-author-pic
    aakarsh
    12-09-2018

    Hi  @bcagrawal  Security groups and Network ACLs both grant users the ability to control access based on the rules the user create. The major difference between both being, Security Groups are applied at an instance level while NACLs are applied to the entire subnet. However, you can still assign a Security Group to more than one instance. The other difference is, Security Groups are stateful meaning they remember the state of traffic being allowed and this makes it so that you do not have to explicitly allow traffic going out if you allow that traffic going in, Whereas, NACLs are stateless, meaning you have to explicitly allow traffic in both inbound and outbound.

    In my opinion, SG offer much more flexibility in controlling access and is much more useful compared to NACLs. But the best practice is to always go for mutli tiered access control and use both NACLs and SG to offer the best protection for your applications or servers running on your EC2 instance.

  • post-author-pic
    Edwin S
    12-17-2018

    The main valid use case I’ve seen for ACLs is: I have a private subnet housing my application servers and databases, I only want to allow the subnets where my bastion hosts and web servers reside talk to the resources in those private subnets. Instead of including rules in all those security groups (https://www.buyassignmentservice.com/pay-to-do-my-homework) I can make an ACL rule and open my security groups wide enough to be stateless.

Looking For Team Training?

Learn More