NetworkTools
Sign In
1VPC Design2Security Groups & NACLs3Virtual Routers4Hybrid Connectivity5Cloud Load Balancing6Cloud DNS & CDN7Container Networking
← Back to Cloud Networking

Learning Objectives

  • Differentiate security groups from NACLs
  • Write least-privilege security group rules
  • Understand stateful vs stateless filtering

Security Groups vs NACLs

Every cloud provider offers two layers of network security. Security groups act as virtual firewalls at the instance (elastic network interface) level. Network Access Control Lists (NACLs) filter traffic at the subnet level.

The key difference: security groups are stateful, NACLs are stateless. If you allow inbound traffic through a security group, the response is automatically allowed regardless of outbound rules. With NACLs, you must explicitly allow both inbound and outbound traffic.

Match each feature to the correct security layer.

Hints
  • Think about what happens to return traffic
  • NACLs are like a firewall for the whole subnet
  • Security groups are instance-level firewalls
Left
matches to
Right
Left
matches to
Right
Left
matches to
Right
Left
matches to
Right
Left
matches to
Right
Left
matches to
Right
Left
matches to
Right
Left
matches to
Right
Attempts: 0

Writing Effective Security Group Rules

Follow the principle of least privilege: allow only the specific traffic your application needs. Never use 0.0.0.0/0 for inbound SSH or RDP.

Build a Web Server Security Group

Configure inbound rules for a web server security group.

Preview
aws ec2 authorize-security-group-ingress --group-id {sg_id} --protocol tcp --port 443 --cidr 0.0.0.0/0

Common Rule Patterns

| Purpose | Protocol | Port | Source | Rationale | |---------|----------|------|--------|-----------| | HTTP | TCP | 80 | 0.0.0.0/0 | Public web traffic | | HTTPS | TCP | 443 | 0.0.0.0/0 | Public web traffic | | SSH | TCP | 22 | Your office IP /32 | Admin access only | | App-to-DB | TCP | 3306 | App SG ID | Only app layer can reach DB | | Health checks | TCP | 80 | ALB SG ID | Only load balancer pings |

NACL Rule Evaluation

NACLs evaluate rules in order from lowest to highest rule number. Once a rule matches, evaluation stops. Always include an explicit deny-all rule (rule *) as a catch-all. The default NACL allows all traffic; custom NACLs deny all by default.

You allow inbound TCP 443 from 0.0.0.0/0 in a security group but block outbound traffic in the NACL. What happens to the response?

Key Takeaways

  • Security groups are stateful instance firewalls; NACLs are stateless subnet firewalls
  • NACLs evaluate rules in numbered order with a catch-all deny at the end
  • Always scope security group sources to the minimum required (specific IPs or other SGs)
  • Outbound NACL rules must allow ephemeral ports (1024-65535) for return traffic
  • Security groups support no explicit deny — NACLs allow both allow and deny rules
PreviousVPC DesignNextVirtual Routers