Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.1.1. VPC Security Controls (Security Groups, Network ACLs)

First Principle: VPC Security Controls (Security Groups (SGs), Network ACLs (NACLs)) provide virtual firewall capabilities to control traffic flow and isolate resources within your VPC, ensuring granular network protection.

Security Groups (SGs) and Network Access Control Lists (NACLs) are the foundational network security features within an Amazon VPC. Security specialists configure these to precisely control traffic to and from AWS resources.

Key Characteristics and Differences:
  • Security Groups (SGs):
    • Level: Instance-level firewall. Applies to individual EC2 instances or Elastic Network Interfaces (ENIs).
    • Stateful: If you allow inbound traffic, return outbound traffic is automatically allowed.
    • Allow-Only: You define only allow rules. Traffic that doesn't explicitly match an allow rule is implicitly denied.
    • Evaluation: All rules are evaluated before deciding whether to allow traffic.
    • Use Cases: Controlling application port access, allowing specific IP addresses or other Security Groups access.
  • Network Access Control Lists (NACLs):
    • Level: Subnet-level firewall. Applies to all resources within a subnet.
    • Stateless: Inbound and outbound traffic rules are evaluated separately; you must explicitly allow return traffic for connections.
    • Allow and Deny rules: You can explicitly allow or deny traffic. Rules are processed in order (lowest numbered rule first). The first matching rule is applied.
    • Use Cases: Can be used as a secondary layer of defense in addition to Security Groups, broad deny rules (e.g., blocking malicious IP addresses).

Scenario: You need to protect your web servers (publicly accessible) from unauthorized SSH access from anywhere, but allow HTTPS traffic. Your internal application servers should only communicate with these web servers and a private database.

Reflection Question: How do VPC Security Controls (Security Groups for instance-level, Network ACLs for subnet-level) fundamentally provide virtual firewall capabilities to control traffic flow and isolate resources within your VPC, ensuring granular network protection and adherence to least privilege?