AWS security groups vs. traditional firewalls: What's the difference?

AWS security groups provide network-based blocking mechanisms, much like traditional firewalls. Expert Dan Sullivan explains the differences between the two.

I've heard AWS security groups compared to traditional firewalls. What is a security group and how is it different from a firewall? Would the two ever be used in conjunction?

AWS security groups and firewalls are similar in that they are both defensive mechanisms for restricting network communications.

firewalls are used to control network flows to and from subnets of networks or between networks, such as an enterprise network and the Internet. In some cases, firewalls are used on individual machines such as personal firewalls on desktop computers.

Firewalls are a class of network security controls available from a wide range of vendors as well as open source projects.

AWS security groups are a vendor-specific feature of Amazon Web Services. Security groups provide a kind of network-based blocking mechanism that firewalls also provide. Security groups, however, are easier to manage.

Firewalls are generally configured with IP-specific rules, such as allowing or blocking traffic on a specific port or accepting traffic from a particular server. This kind of hard-coded rule can be difficult to manage. For example, if the IP address of a server changes, firewall rules referencing the old IP address will need to be updated. Also, if additional servers are added to a cluster that provides a service, consumers of those services will need to update firewall rules to allow traffic from the new members of the cluster.

AWS security groups streamline management using policies. A policy is a set of rules that is referenced by multiple servers. For example, servers in a cluster can all reference the same policy, which we will call SecPol_Cluster. When new servers are added to the cluster, they are configured to reference the SecPol_Cluster. Client devices that access services from the cluster are configured with a policy that allows communication with the servers using the SecPol_Cluster policy.

Using security groups reduces the number of distinct configurations that have to be maintained and thereby help reduce the chances of configuration errors. Since firewalls and security groups perform overlapping functions, there are only marginal benefits to running both (e.g., a catastrophic failure in one system would be mitigated by using the other mechanism).

Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Gain further insight into developing a security group policy

Dig Deeper on Network security