Virtualised Networking

What are AWS NACL or Security groups in a on-premises data center context?

Published: Tuesday, Apr 20, 2021 Last modified: Monday, May 10, 2021

A proactive step for on-premises data centers is to adopt well established Cloud concepts like NACLs and Security groups.

NACLs are stateless and accommodate DENY rules unlike Security groups. Security groups are a simple way of grouping services to allow them to communicate with one another.

NACLs are more like a traditional network-based firewall in that they are evaluated when a subnet boundary is traversed, but with the caveat they are stateless. There’s no real direct datacentre equivalent. Security Groups are more like host-based firewalls in that they act at the instance (actually ENI) level, but they are enforced by the hypervisor. Once again, no perfect datacentre equivalent.

…you could say a security group is like a firewall enforced by the switch port. And a NACL is probably closest to a route table, but with port and protocol granularity.


There realistically only appears to be two vendor options for serving on-premises incumbents, who can’t move to the public Cloud for whatever reason:

Clients have been known to move from OpenShift on-premises to Openshift PaaS in the cloud pretty seamlessly, so it provides an easy cloud migration path. OpenShift also allows Enterprises that don’t have the skillsets to operate/maintain a Kubernetes cluster to still get the benefits of scalability and container orchestration.