To control the flow of data in and out of your VPCs and Subnets in AWS, you can use Network Access Control Lists (NACLs), Security Groups (SGs), or both.
But when should you use which? Let’s take a quick look.
Keeping threats out
As a general rule of thumb, you should always use Security Groups. They’re applied directly to hosts, like web servers or database instances, which means they’re one of the last layers of defense.
With that said, you typically want to block threats as far away from your important resources/data as you can. So ideally, you’d want to block threats before they even get near your hosts. That’s where NACLs step in because they’re applied at the subnet level and they can look at every request going in or out of a subnet.
That means NACLs can block broad ranges of sources/destinations that you know should never be allowed in or out of a subnet, while SGs can block with much more specificity depending on the resource they’re designed to protect.
Oftentimes, people talk about keeping threats outside of the VPC using these security controls, but what if a threat makes it through? You can also use these controls for containment and isolation:
- Amazon VPCs provide network isolation for a group of subnets
- NACLs provide subnet-based containment
- Security groups provide host-based containment
This cheat sheet explains that and a lot more, so save it as a reference guide!