AWS Network Firewall vs WAF vs Security Groups vs NACLs
⚠️ AWS WAF Classic Deprecated
AWS WAF Classic reached End of Life (EOL) on September 30, 2025.
All references to WAF in this post refer to the current AWS WAF (formerly “AWS WAFv2”). If you are still using WAF Classic, you must migrate immediately.
Migration: Use the AWS WAF Classic migration guide and the CreateWebACLMigrationStack API to migrate your web ACLs.
Overview
- AWS Network Firewall is a stateful, fully managed network firewall and intrusion detection and prevention service (IDS/IPS) for VPCs.
- AWS WAF is a web application firewall that helps protect web applications from attacks by allowing rules configuration that allow, block, or monitor (count) web requests based on defined conditions.
- Security groups act as a virtual firewall for associated instances, controlling both inbound and outbound traffic at the instance level.
- Network access control lists (NACLs) act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.
Comparison Table
| Feature | Security Groups | NACLs | AWS WAF | AWS Network Firewall |
|---|---|---|---|---|
| Scope | Instance/ENI level | Subnet level | Application level (Layer 7) | VPC level (Layers 3-7) |
| State | Stateful | Stateless | Stateful | Stateful & Stateless |
| Rules | Allow rules only | Allow and Deny rules | Allow, Block, Count, CAPTCHA, Challenge | Allow, Drop, Reject, Alert |
| Rule Processing | All rules evaluated | Rules processed in order (lowest number first) | Rules processed by priority | Rules processed by priority with strict/action order |
| Traffic Inspection | IP, Port, Protocol | IP, Port, Protocol | HTTP/HTTPS headers, body, URI, query strings | IP, Port, Protocol, Domain, HTTP/TLS, IDS/IPS signatures |
| IDS/IPS | No | No | No (application-level only) | Yes (Suricata-compatible) |
| TLS Inspection | No | No | No (inspects after decryption at ALB/CloudFront) | Yes (decrypts and re-encrypts HTTPS traffic) |
| Domain Filtering | No | No | No | Yes (FQDN, SNI, URL categories) |
| Bot Control | No | No | Yes (650+ bots including AI crawlers) | No (use WAF for bot control) |
| Cost | Free | Free | Pay per web ACL, rule, and requests | Pay per endpoint hour and data processed |
Security Groups
- Act as a virtual firewall at the instance/ENI level
- Stateful – return traffic is automatically allowed regardless of rules
- Support allow rules only – cannot create deny rules
- All rules are evaluated before deciding whether to allow traffic
- Can reference other security groups as sources/destinations (including cross-account)
- Applied to ENIs – an instance can have multiple security groups
- Default security group allows all outbound and denies all inbound (except from same group)
Security Group Updates (2024-2026)
- Security Group VPC Associations (Oct 2024) – Associate a security group with multiple VPCs in the same account and Region, eliminating the need to duplicate security groups across VPCs
- Shared Security Groups – In shared VPCs, security groups can now be shared with participant accounts using AWS RAM
- Cross-VPC Security Group Referencing (AWS Cloud WAN) – Create inbound rules referencing security groups in other VPCs attached to AWS Cloud WAN within the same Region
Network Access Control Lists (NACLs)
- Act as a firewall at the subnet level
- Stateless – return traffic must be explicitly allowed by rules
- Support both allow and deny rules
- Rules are processed in number order (lowest first); processing stops at first match
- Default NACL allows all inbound and outbound traffic
- Custom NACLs deny all traffic by default until rules are added
- Applied automatically to all instances in the associated subnet
- Provide broad subnet-level protection as a first line of defense
AWS WAF (Web Application Firewall)
- Operates at Layer 7 (Application Layer) – inspects HTTP/HTTPS requests
- Protects against common web exploits: SQL injection, XSS, CSRF
- Deployed on CloudFront, ALB, API Gateway, AppSync, Cognito, App Runner, and Verified Access
- Rules based on IP addresses, HTTP headers, HTTP body, URI strings, query strings, and geo-location
- Supports rate-based rules for DDoS mitigation at application layer
- Managed rule groups from AWS and AWS Marketplace partners
- Centrally managed using AWS Firewall Manager across accounts
AWS WAF Updates (2024-2026)
- New Console Experience (June 2025) – Pre-configured protection packs for specific workloads (e-commerce, APIs, transaction processing), automated security recommendations, and a unified dashboard
- AI Activity Dashboard (Feb 2026) – Bot Control detection catalog covers 650+ unique bots including AI search engine crawlers, AI data collectors, AI assistants, and LLM training crawlers
- Dynamic Label Interpolation (May 2026) – Forward WAF classification signals to origin and embed context in responses with a single rule
- Protection Packs – Pre-configured Web ACLs tailored to specific workload types with expert-curated rules that are continuously updated
AWS Network Firewall
- Operates at Layers 3-7 – provides network-level and application-level filtering
- Deployed within a VPC using firewall endpoints in dedicated firewall subnets
- Supports both stateful and stateless rule groups
- Intrusion Detection and Prevention (IDS/IPS) using Suricata-compatible rules
- Domain name filtering – Allow/deny based on FQDN or SNI for encrypted traffic
- TLS Inspection – Decrypts and re-encrypts HTTPS traffic for deep packet inspection
- Supports AWS Managed Rule Groups for active threat defense (malware, botnets, C2 channels)
- Auto-scales based on traffic load
- Centrally managed using AWS Firewall Manager
- Can be shared across accounts using AWS RAM
AWS Network Firewall Updates (2024-2026)
- Transit Gateway Native Attachment (2026) – Attach Network Firewall directly to Transit Gateway, eliminating the need for a dedicated inspection VPC. Simplifies architecture and enables flexible cost allocation across accounts.
- Web Category-based Filtering (Jan 2026) – Pre-defined URL categories to control access to GenAI services, social media, streaming sites, and other web categories directly in firewall rules
- Enhanced Managed Rules from Marketplace Partners (Apr 2026) – Support for up to 10 million domain name indicators and 1 million IP addresses in managed rule groups
- Price Reductions (Feb 2026) – Hourly and data processing discounts on NAT Gateways service-chained with Network Firewall secondary endpoints
- Enhanced Console & Monitoring (Sep 2025) – Expanded monitoring insights, advanced TLS inspection features, PrivateLink endpoint analysis, and improved filtering
- Application Layer Traffic Controls (Sep 2025) – Enhanced default rules for handling TLS client hellos and HTTP requests split across multiple packets
When to Use Each Service
| Use Case | Recommended Service |
|---|---|
| Control traffic to/from specific instances | Security Groups |
| Block specific IPs at the subnet level | NACLs |
| Protect web apps from SQL injection, XSS | AWS WAF |
| Block/manage bot traffic and AI crawlers | AWS WAF (Bot Control) |
| Rate limiting at application layer | AWS WAF |
| IDS/IPS for VPC traffic | AWS Network Firewall |
| Domain/FQDN-based egress filtering | AWS Network Firewall |
| TLS traffic inspection (decrypt/re-encrypt) | AWS Network Firewall |
| Block access to GenAI/social media categories | AWS Network Firewall (Web Category Filtering) |
| Centralized inspection across multiple VPCs | AWS Network Firewall + Transit Gateway |
| Centralized policy management across accounts | AWS Firewall Manager |
| Identify misconfigured network security | AWS Shield Network Security Director |
AWS Shield Network Security Director (Preview)
- Launched June 2025 as a capability of AWS Shield
- Discovers compute, networking, and network security resources across your AWS accounts
- Identifies missing or misconfigured network security services (WAF, Security Groups, NACLs)
- Provides actionable remediation recommendations based on AWS best practices and threat intelligence
- Supports multi-account analysis with AWS Organizations integration (Dec 2025)
- Findings available in AWS Security Hub (Mar 2026)
- Visualizes network topology and security configuration issues
AWS Firewall Manager
- Centrally configure and manage firewall rules across multiple accounts and resources in an AWS Organization
- Manages policies for AWS WAF, AWS Network Firewall, Security Groups, NACLs, and Shield Advanced
- Automatically applies protections to new accounts and resources as they are added
- Supports retrofitting – application teams can customize rules in Firewall Manager-managed Web ACLs using console or IaC tools
- Requires AWS Organizations and a designated Firewall Manager administrator account
Defense in Depth Architecture
AWS recommends a layered security approach combining all four services:
- NACLs – First line of defense at subnet boundary; block known malicious IPs
- Security Groups – Instance-level access control; allow only required ports/protocols
- AWS Network Firewall – VPC-level IDS/IPS, domain filtering, and deep packet inspection
- AWS WAF – Application-level protection against web exploits and bot traffic
Use AWS Firewall Manager for centralized policy management and AWS Shield Network Security Director to identify gaps in your security posture.
AWS Certification Exam Practice Questions
Question 1:
A company needs to inspect all egress traffic from their VPC and block access to known malicious domains. They also need IDS/IPS capabilities. Which service should they use?
- AWS WAF
- Network ACLs
- AWS Network Firewall
- Security Groups
Answer: C – AWS Network Firewall provides domain-based filtering, IDS/IPS with Suricata-compatible rules, and can inspect all VPC egress traffic. WAF only inspects HTTP/HTTPS at the application layer and requires a load balancer or CloudFront.
Question 2:
A solutions architect needs to protect a web application from SQL injection and cross-site scripting attacks. The application is behind an Application Load Balancer. Which is the MOST appropriate service?
- AWS Network Firewall
- AWS WAF
- Network ACLs
- Security Groups
Answer: B – AWS WAF is specifically designed to protect web applications from common exploits like SQL injection and XSS. It integrates directly with ALB to inspect HTTP/HTTPS requests.
Question 3:
A company wants to block a specific IP address from accessing any resources in a subnet. Which service provides the ability to explicitly DENY traffic?
- Security Groups
- AWS WAF
- Network ACLs
- AWS Network Firewall
Answer: C – NACLs support both allow and deny rules at the subnet level. Security Groups only support allow rules. While WAF and Network Firewall can also block traffic, NACLs are the most appropriate for simple IP-based subnet-level blocking.
Question 4:
An organization needs to control access to generative AI services from their corporate VPC. They want to block employees from accessing specific AI platforms while allowing approved ones. Which feature should they use?
- AWS WAF Bot Control
- Security Group rules
- AWS Network Firewall with Web Category-based filtering
- NACLs with deny rules
Answer: C – AWS Network Firewall’s Web Category-based filtering (launched Jan 2026) enables controlling access to GenAI services using pre-defined URL categories without maintaining individual domain lists.
Question 5:
A company wants to detect and manage AI crawlers and LLM training bots accessing their web application. Which AWS service provides this capability?
- AWS Network Firewall
- AWS WAF with Bot Control
- Security Groups
- AWS Shield Advanced
Answer: B – AWS WAF Bot Control’s detection catalog covers 650+ unique bots including AI search engine crawlers, AI data collectors, AI assistants, and LLM training crawlers. The AI Activity Dashboard provides visibility into AI bot traffic patterns.
Question 6:
A company operates multiple VPCs connected via Transit Gateway and wants to centrally inspect all inter-VPC traffic. What is the SIMPLEST architecture using AWS Network Firewall?
- Deploy Network Firewall in each VPC
- Create a dedicated inspection VPC with firewall endpoints
- Attach Network Firewall directly to Transit Gateway
- Use Gateway Load Balancer with third-party appliances
Answer: C – AWS Network Firewall now supports native Transit Gateway attachment, eliminating the need for a dedicated inspection VPC. This simplifies architecture by directly attaching the firewall to the Transit Gateway.
Question 7:
Which statement correctly describes the difference between Security Groups and NACLs? (Select TWO)
- Security Groups are stateless; NACLs are stateful
- Security Groups operate at instance level; NACLs operate at subnet level
- Security Groups evaluate all rules; NACLs process rules in order
- NACLs support allow rules only; Security Groups support allow and deny
- Both Security Groups and NACLs can reference other security groups
Answer: B, C – Security Groups operate at the instance/ENI level and evaluate all rules before making a decision. NACLs operate at the subnet level and process rules in numerical order, stopping at the first match. Security Groups are stateful (not stateless), and NACLs support both allow and deny rules.
Question 8:
A security team needs to identify which AWS resources have misconfigured network security services across their multi-account environment. Which service should they use?
- AWS Config
- AWS Shield Network Security Director
- Amazon Inspector
- AWS Firewall Manager
Answer: B – AWS Shield Network Security Director discovers resources across accounts, identifies missing or misconfigured network security services (WAF, Security Groups, NACLs), and provides remediation recommendations. It integrates with AWS Organizations for multi-account analysis.
References
- AWS Security Groups Documentation
- AWS NACLs Documentation
- AWS WAF Documentation
- AWS Network Firewall Documentation
- AWS Firewall Manager Documentation
- AWS Shield Network Security Director Documentation
- Design Your Firewall Deployment for Internet Ingress Traffic Flows
- Why and How to Migrate to Transit Gateway-attached Network Firewall
- Simplifying Policy Management with URL and Domain Category Filtering