What are AWS NACL or Security groups in a on-premises data center context?
Published: Tuesday, Apr 20, 2021 Last modified: Friday, May 12, 2023
A proactive step for on-premises data centers is to adopt well established Cloud concepts like NACLs and Security groups.
NACLs are stateless and accommodate DENY rules unlike Security groups. Security groups are a simple way of grouping services to allow them to communicate with one another.
NACLs are more like a traditional network-based firewall in that they are evaluated when a subnet boundary is traversed, but with the caveat they are stateless. There’s no real direct datacentre equivalent. Security Groups are more like host-based firewalls in that they act at the instance (actually ENI) level, but they are enforced by the hypervisor. Once again, no perfect datacentre equivalent.
…you could say a security group is like a firewall enforced by the switch port. And a NACL is probably closest to a route table, but with port and protocol granularity.
There realistically only appears to be two vendor options for serving on-premises incumbents, who can’t move to the public Cloud for whatever reason:
- VMware call it a “Virtual network”
- OpenShift calls it SDN, which leverages Kubernetes (k8s) under the hood
Clients have been known to move from OpenShift on-premises to Openshift PaaS in the cloud pretty seamlessly, so it provides an easy cloud migration path. OpenShift also allows Enterprises that don’t have the skillsets to operate/maintain a Kubernetes cluster to still get the benefits of scalability and container orchestration.