We can use AWS Network ACL (NACL) and Security Group to manage the security of VPC.
According to this article ,
Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
In more granular level, the differences are :
|Security Group||Network ACL|
|Operates at the instance level, and port level||Operates at the subnet level, and IP address level|
|Supports allow rules only||Supports allow rules and deny rules|
|Is stateful: Return traffic is automatically allowed, regardless of any rules||Is stateless: Return traffic must be explicitly allowed by rules|
|We evaluate all rules before deciding whether to allow traffic||We process rules in number order when deciding whether to allow traffic|
|Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on||Automatically applies to all instances in the subnets it’s associated with (therefore, you don’t have to rely on users to specify the security group)|
It sounds very easy, right? But in real work, the configuration of NACL and Security Group must be carefully planned. Otherwise, we might have some complicated scenarios.
One lesson I learned is that configuration of ephemeral port range on DMZ subnets are important so that my private subnets can function correctly.
NACL Inbound and Outbound Rules in DMZ subnet:
|Rule #||Type||Protocol||Port Range||Source||Allow / Deny|
|100||HTTP (80)||TCP (6)||80||0.0.0.0/0||ALLOW|
|200||HTTPS (443)||TCP (6)||443||0.0.0.0/0||ALLOW|
|300||SSH (22)||TCP (6)||22||0.0.0.0/0||ALLOW|
|400||All ICMP – IPv4||ICMP (1)||ALL||0.0.0.0/0||ALLOW|
|500||Custom TCP Rule||TCP (6)||1024-65535||0.0.0.0/0||ALLOW|
The client that initiates the request chooses the ephemeral port range. For example, if a request comes into a web server in your VPC from a browser on the Internet, your network ACL must have an outbound rule to enable traffic destined for ports 1024-65535. If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance