Learning Objectives
- Differentiate security groups from NACLs
- Write least-privilege security group rules
- Understand stateful vs stateless filtering
Security Groups vs NACLs
Every cloud provider offers two layers of network security. Security groups act as virtual firewalls at the instance (elastic network interface) level. Network Access Control Lists (NACLs) filter traffic at the subnet level.
The key difference: security groups are stateful, NACLs are stateless. If you allow inbound traffic through a security group, the response is automatically allowed regardless of outbound rules. With NACLs, you must explicitly allow both inbound and outbound traffic.
Match each feature to the correct security layer.
Hints
- Think about what happens to return traffic
- NACLs are like a firewall for the whole subnet
- Security groups are instance-level firewalls
Writing Effective Security Group Rules
Follow the principle of least privilege: allow only the specific traffic your application needs. Never use 0.0.0.0/0 for inbound SSH or RDP.
Build a Web Server Security Group
Configure inbound rules for a web server security group.
aws ec2 authorize-security-group-ingress --group-id {sg_id} --protocol tcp --port 443 --cidr 0.0.0.0/0Common Rule Patterns
| Purpose | Protocol | Port | Source | Rationale | |---------|----------|------|--------|-----------| | HTTP | TCP | 80 | 0.0.0.0/0 | Public web traffic | | HTTPS | TCP | 443 | 0.0.0.0/0 | Public web traffic | | SSH | TCP | 22 | Your office IP /32 | Admin access only | | App-to-DB | TCP | 3306 | App SG ID | Only app layer can reach DB | | Health checks | TCP | 80 | ALB SG ID | Only load balancer pings |
NACL Rule Evaluation
NACLs evaluate rules in order from lowest to highest rule number. Once a rule matches, evaluation stops. Always include an explicit deny-all rule (rule *) as a catch-all. The default NACL allows all traffic; custom NACLs deny all by default.
You allow inbound TCP 443 from 0.0.0.0/0 in a security group but block outbound traffic in the NACL. What happens to the response?
Key Takeaways
- Security groups are stateful instance firewalls; NACLs are stateless subnet firewalls
- NACLs evaluate rules in numbered order with a catch-all deny at the end
- Always scope security group sources to the minimum required (specific IPs or other SGs)
- Outbound NACL rules must allow ephemeral ports (1024-65535) for return traffic
- Security groups support no explicit deny — NACLs allow both allow and deny rules