Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.4.3. Network Security (Security Groups, Network ACLs)

šŸ’” First Principle: Network security components (Security Groups, Network ACLs) provide virtual firewall capabilities to control traffic flow and isolate resources within your VPC, ensuring basic network protection.

Scenario: You need to protect your web application running on EC2 instances. Only HTTPS traffic from the internet should reach your web servers. Your web servers need to communicate with a database in a private subnet, but the database should not be directly accessible from the internet.

For SysOps Administrators, configuring network security is a primary responsibility to protect AWS resources from unauthorized access and malicious activity.

Key Network Security Components:
  • Security Groups (SGs): (Act as stateful virtual firewalls that control inbound and outbound traffic for individual EC2 instances or Elastic Network Interfaces (ENIs).)
    • Instance-Level: Applies to individual instances.
    • Stateful: If inbound traffic is allowed, return outbound traffic is automatically allowed.
    • Allow-Only Rules: You define only allow rules. Implicitly denies everything else.
    • Best Practice: Apply least privilege by opening only necessary ports.
  • Network Access Control Lists (NACLs): (Act as stateless packet filters that control traffic to and from one or more subnets.)
    • Subnet-Level: Applies to all resources within a subnet.
    • Stateless: Inbound and outbound rules are evaluated separately; you must explicitly allow return traffic.
    • Allow and Deny Rules: You can explicitly allow or deny traffic based on rule number (processed in order).
    • Use Cases: Useful for broad subnet-level blocking or allowing.
Key Differences:
  • SGs: Instance-level, stateful, allow-only.
  • NACLs: Subnet-level, stateless, allow/deny, order matters.

āš ļø Common Pitfall: Misunderstanding the stateful nature of Security Groups versus the stateless nature of Network ACLs, leading to unexpected traffic blocks or allowances.

Key Trade-Offs: Granular control (Security Groups) versus broad subnet-level filtering (Network ACLs).

Practical Implementation: Security Group rule for web server (HTTPS inbound):

{
    "IpProtocol": "tcp",
    "FromPort": 443,
    "ToPort": 443,
    "IpRanges": [
        {
            "CidrIp": "0.0.0.0/0"
        }
    ]
}

Network ACL rule to deny specific IP:

{
    "RuleNumber": 100,
    "Protocol": "-1",
    "RuleAction": "deny",
    "Egress": false,
    "CidrBlock": "192.0.2.0/24"
}

Reflection Question: How would you configure Security Groups for your web servers and database servers, and potentially Network ACLs for your subnets, to control network traffic and isolate resources, ensuring basic network security for your application?