Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.1.2.1. VPC Security: Security Groups and Network ACLs

šŸ’” First Principle: Security Groups (SGs) and Network ACLs (NACLs) are virtual firewalls controlling VPC traffic. SGs protect instances; NACLs secure subnets, managing flow.

The Security Groups (SGs) and Network Access Control Lists (NACLs) are virtual firewalls controlling VPC traffic. SGs protect instances; NACLs secure subnets, managing flow.

Key Differences in VPC Security with SGs and NACLs:
  • "Security Groups (SGs)":
    • "Instance-level": Applies to individual EC2 instances or Elastic Network Interfaces (ENIs).
    • "Stateful": If you allow inbound traffic, return outbound traffic is automatically allowed.
    • "Allow-only": You define only allow rules. Implicitly denies everything else.
  • "Network Access Control Lists (NACLs)":
    • "Subnet-level": Applies to all EC2 instances within a subnet.
    • "Stateless": Inbound and outbound rules are evaluated separately.
    • "Allow and Deny": You can explicitly allow or deny traffic. Rules are processed in order (lowest numbered rule first).

Scenario: An SG allows only web traffic (ports 80, 443) to an EC2 instance, while a NACL blocks all inbound traffic to its associated subnet, creating layered defense.

Visual: Security Groups vs. Network ACLs
Loading diagram...

āš ļø Common Pitfall: Forgetting that NACLs are stateless. If you allow inbound traffic on a NACL, you must explicitly allow the corresponding outbound return traffic as well, unlike Security Groups.

Key Trade-Offs:
  • Fine-grained (SG) vs. Broad (NACL): Security Groups are for specific instance-level control. NACLs are for broader subnet-level control. Using both provides defense-in-depth.

Reflection Question: How does combining Security Groups (instance-level, stateful) and Network ACLs (subnet-level, stateless) enhance VPC security by providing a layered defense-in-depth approach?