Security Groups (SGs) and Network Access Control Lists(NACLs) are the features that come with Virtual Private Cloud (VPC) in Amazon Web Services(AWS).

SG acts as a firewall for our instance to control or restrict inbound and outbound traffic. When we launch an instance in a VPC, we can assign up to five security groups to the instance. Security groups act at the instance level and not the subnet level. If we don’t specify a particular group at launch time, the instance is automatically assigned to the default security group of the VPC.

We can add rules in the SG that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.

An NACL is an optional layer of security for the VPC that acts as a firewall for controlling traffic in and out of one or more subnets. We can set up NACLs with rules similar to SGs in order to add an additional layer of security on the Subnet.

Before proceeding further to create an SG and NACL, lets see the difference between both of them.

  1. SG Operates at the instance level whereas NACL operates at the subnet level.
  2. SG Supports allow rules only and NACL supports allow rules and deny rules.
  3. SG evaluates all rules before deciding whether to allow traffic and in NACL rules are processed in number order when deciding whether to allow traffic.
  4. SG is applied to an instance only if someone specifies the security group whereas NACL is automatically applied to all instances in the subnets that it’s associated with.

In this article, we will see the steps to create an SG and NACL.

Pre-requisites

  1. AWS Account (Create if you don’t have one). 

What we will do?

  1. Login to AWS.
  2. Create a Security Group
  3. Create a Network Access Control List.

Login to AWS

  1. Click here to go to AWS Login Page.

When we hit the above link, we will see a web page as follows where we are required to login using our login details.

<img alt="AWS Login" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.26_.20_AM_.png6172b3d28cafe.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="414" loading="lazy" src="data:image/svg xml,” width=”750″>

Once we login into AWS successfully, we will see the main console with all the services listed as follows.

<img alt="AWS Management Console" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.26_.45_AM_.png6172b3d2c699d.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="411" loading="lazy" src="data:image/svg xml,” width=”750″>

Create a Security Group

To create an SG, click on “Service” at the top menu bar and search for “VPC” and click on the result.

<img alt="Create Security Group" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.27_.01_AM_.png6172b3d302fd4.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="413" loading="lazy" src="data:image/svg xml,” width=”750″>

On the main VPC Dashboard, click on “Security Group” from the left panel to create your first security group.

<img alt="Resources by region" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.27_.29_AM_.png6172b3d33205d.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="411" loading="lazy" src="data:image/svg xml,” width=”750″>

Click on “Create security group” to create it.

<img alt="Security Group created successfully" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.27_.57_AM_.png6172b3d361d72.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="416" loading="lazy" src="data:image/svg xml,” width=”750″>

Give a name to the Security group to be created along with the description to it which can help to understand the purpose of it.

<img alt="Group name and description" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.28_.49_AM_.png6172b3d38a7b0.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="415" loading="lazy" src="data:image/svg xml,” width=”750″>

Once the Security group has been created, you can see the screen as follows. Click on the Security Group ID Link to go to the SG and add Inbound and Outbound Rules.

<img alt="Group was created" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.29_.04_AM_.png6172b3d3b6565.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="412" loading="lazy" src="data:image/svg xml,” width=”750″>

Here, click on “Inbound Rules” available at the bottom menu beside the description and click on “Edit Rules” to add rules in this SG.

<img alt="Inbound rules" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.29_.28_AM_.png6172b3d400554.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="412" loading="lazy" src="data:image/svg xml,” width=”750″>

You can choose the type of Rule to be added, its port/port range. In Source you can select either “My IP”, “Custom” or “Anywhere”, this decides the source to be allowed. Add description which helps to understand the purpose of the Rule added. Once you are done with adding the desired rule click on “Save rules”.

<img alt="Edit inbound rules" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.32_.32_AM_1.png6172b3d43da5f.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="413" loading="lazy" src="data:image/svg xml,” width=”750″>

The way we added Inbound Rules, Outbound rules can also be added.

<img alt="Outbound rules" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.32_.55_AM_.png6172b3d48961a.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="413" loading="lazy" src="data:image/svg xml,” width=”750″>

Create a Network Access Control List

To create an NACL, click on “Network ACLs” from the left panel.

<img alt="Network Access Control List" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.33_.15_AM_2.png6172b3d4ca1a1.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="415" loading="lazy" src="data:image/svg xml,” width=”750″>

Give a name to the NACL and select the VPC to which this NACL will be applied and click on Create.

<img alt="Create Network ACL" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.33_.33_AM_.png6172b3d51837d.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="411" loading="lazy" src="data:image/svg xml,” width=”750″>

Select the NACL you just created and click on “Inbound Rules” from the bottom menu.

<img alt="NACL Inbound Rules" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.52_.13_AM_.png6172b3d57d3c6.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="413" loading="lazy" src="data:image/svg xml,” width=”750″>

Add Rule number which decides the priority over other rules. The lowest number has the highest priority. Here, the first rule has Priority 1 for port 22 as Deny. This means that even if the second rule has Allow for all(0.0.0.0/0) with lower priority, this second rule will not have any effect on the Source of the first rule and will still deny to the source of the first rule. Be very careful while adding rules and Rule numbers to them. Once done with adding all the required rules, click on “Create”.

<img alt="Edit inbound rules" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.40_.27_AM_.png6172b3d5cd9c6.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="417" loading="lazy" src="data:image/svg xml,” width=”750″>

You can follow the same steps to add outbound rules.

<img alt="Create Network ACL" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/10/echo/Screenshot_2020-01-03_at_12.56_.48_AM_.png6172b3d639361.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="413" loading="lazy" src="data:image/svg xml,” width=”750″>

Conclusion

In this article, we saw the steps to create an SG and NACL. Creating an SG or NACL is very easy but be very careful while adding the rules to them and especially to NACL.