Free AWS Security Whitepaper
    Toc Consulting Logo
    comparewaf-vs-network-firewall-vs-security-groups-vs-nacls
    SECURITYPublished 2025-08-20Updated 2025-12-08
    AWS WAFAWS WAF
    vs
    AWS Network FirewallAWS Network Firewall
    vs
    Security GroupsSecurity Groups
    vs
    Network ACLsNetwork ACLs

    WAF vs Network Firewall vs Security Groups vs NACLs

    AWS defense in depth - four layers explained

    AWS provides four distinct network security layers operating at different OSI levels. Security Groups and NACLs are free and instance/subnet-level. Network Firewall provides VPC-wide IDS/IPS with Suricata rules. WAF protects HTTP/HTTPS traffic at Layer 7. Understanding which does what - and how they stack - is defense in depth.

    Service Overview

    AWS WAF

    AWS WAF

    L7 (Application)

    SQL injection, XSS, bot protection for HTTP/HTTPS traffic

    TypeWeb application firewall
    Pricing$5/Web ACL/mo + $1/rule/mo + $0.60/M requests
    AWS Network Firewall

    AWS Network Firewall

    L3/L4/L7 (Network)

    Suricata IDS/IPS rules, TLS inspection, domain filtering

    TypeVPC-level stateful firewall
    Pricing~$0.395/endpoint/hour + $0.065/GB processed
    Security Groups

    Security Groups

    L3/L4 (Instance)

    Simple ALLOW rules, stateful, attached per ENI

    TypeStateful instance-level firewall
    PricingFree
    Network ACLs

    Network ACLs

    L3/L4 (Subnet)

    ALLOW + DENY rules, subnet-wide, evaluated in order

    TypeStateless subnet-level firewall
    PricingFree

    Side-by-Side Comparison

    $ diff --side-by-side
    CriteriaWAFNetwork FirewallSecurity GroupsNetwork ACLs
    OSI LayerLayer 7 (HTTP/HTTPS only)Layer 3/4/7Layer 3/4Layer 3/4
    ScopeCloudFront, ALB, API Gateway, AppSyncEntire VPC (subnet routing)Per ENI (instance-level)Per subnet
    StatefulN/A (request-level)YesYesNo - must define return traffic
    DENY RulesYes (block rules)YesNo - allow onlyYes
    IDS/IPSNoYes (Suricata)NoNo
    TLS InspectionN/A (sees decrypted HTTP)Yes (additional cost)NoNo
    Domain FilteringNoYes (allow/deny by FQDN)NoNo
    CostLow (~$6+/mo)High (~$285+/mo per endpoint)FreeFree

    When to Use What

    $ cat DECISION_GUIDE.md
    IFYou need to block SQL injection and XSS against your web app
    THENWAF
    WHYWAF operates at Layer 7 and understands HTTP semantics - it can inspect request bodies, headers, and query strings for injection patterns.
    IFYou need to block all traffic to a specific IP range or country
    THENNetwork ACL or WAF
    WHYNACLs for IP blocking at subnet level (free). WAF for geo-blocking on CloudFront/ALB (paid but more flexible).
    IFYou need IDS/IPS with Suricata rules across your entire VPC
    THENNetwork Firewall
    WHYNetwork Firewall supports stateful and stateless rules, Suricata-compatible signatures, and centralized egress filtering.
    IFYou want to restrict which ports an EC2 instance can receive traffic on
    THENSecurity Group
    WHYSecurity groups are free, stateful, and the primary mechanism for instance-level port filtering. Start here.
    IFYou need to block outbound traffic to non-approved domains
    THENNetwork Firewall
    WHYDomain-based egress filtering (allow only *.amazonaws.com, your-api.com) is a Network Firewall capability. Security groups only work with IPs.

    Security Insights

    Defense in depth means using multiple layers

    The correct architecture uses all four: Security Groups on instances, NACLs on subnets, Network Firewall at VPC level for IDS/IPS, and WAF on ALBs/CloudFront for web attacks.

    Security Groups cannot DENY traffic

    Security Groups only support ALLOW rules. To explicitly block a specific IP or range, you must use NACLs or Network Firewall. This is the most common misunderstanding.

    NACLs are stateless - most people forget return traffic

    Unlike Security Groups, NACLs do not automatically allow response traffic. You must explicitly allow ephemeral ports (1024-65535) for return traffic or connections will fail.

    Network Firewall cost is significant

    At ~$285/month per endpoint (per AZ), Network Firewall is the most expensive option. For a 3-AZ deployment, that is $855/month before data processing charges. Plan accordingly.

    Key Takeaways

    $ cat SUMMARY.md
    1.WAF = web attacks (L7), Network Firewall = network IDS/IPS (L3-L7), SGs = instance ports, NACLs = subnet DENY rules
    2.Security Groups are stateful (return traffic automatic), NACLs are stateless (must allow return)
    3.Security Groups cannot DENY - use NACLs or Network Firewall for explicit blocks
    4.Network Firewall is the only option for domain-based egress filtering and Suricata IDS/IPS
    5.Defense in depth: use all four layers for a properly secured VPC
    Network SecurityFirewallDefense in DepthDDoS

    Need Architecture Guidance?

    These comparisons are a starting point. Every architecture is different. Contact us for tailored AWS security assessments and architectural guidance.

    All ComparisonsGet in Touch