4.3.1. Security Groups, NACLs, and Network Firewall

First Principle: AWS provides three layers of network filtering, each operating at a different scope — security groups protect individual resources (stateful), NACLs protect subnets (stateless), and Network Firewall protects entire VPCs (stateful with deep inspection). Together they implement defense-in-depth for network traffic.

Security Groups (Instance-level, Stateful):

• Default deny all inbound, allow all outbound
• Rules specify allow only (no explicit deny)
• Stateful: return traffic automatically allowed
• Can reference other security groups as sources (powerful for tier isolation)

NACLs (Subnet-level, Stateless):

• Default allow all (unlike security groups)
• Rules specify both allow and deny with priority numbers
• Stateless: return traffic must be explicitly allowed (ephemeral ports)
• Best for: broad IP-based blocks, subnet-level isolation

AWS Network Firewall (VPC-level, Stateful with deep inspection):

• Deployed in dedicated firewall subnets with route table integration
• Supports Suricata-compatible IDS/IPS rules
• Domain-based filtering (allow/block specific domains)
• TLS inspection for encrypted traffic analysis
• Managed rule groups from AWS or third parties

⚠️ Exam Trap: To block a specific IP address, use a NACL (it supports deny rules). Security groups can only allow — you can't explicitly deny an IP in a security group.

Scenario: You need to block traffic from a known malicious IP range while also restricting web-tier instances to communicate only with the app tier on port 443. You use a NACL to deny the malicious IP range and security groups with cross-references to enforce tier isolation.

Reflection Question: Why does AWS provide three separate network filtering mechanisms, and when should you use each one?