3.2.1. Network Security (Security Groups, Network ACLs)

💡 First Principle: Network security components (Security Groups, Network ACLs) provide virtual firewall capabilities to control traffic flow and isolate resources within your VPC, ensuring basic network protection.

Network security in AWS involves controlling who can access your network resources and how traffic flows within your Virtual Private Cloud (VPC).

Key Network Security Components:
  • Security Groups (SGs):
    • What they are: Act as virtual firewalls at the instance level. They control inbound and outbound traffic for individual EC2 instances or other resources.
    • Stateful: If you allow inbound traffic (e.g., HTTP on port 80), return outbound traffic is automatically allowed.
    • Allow-only rules: You define only allow rules. Implicitly denies everything else.
    • Best Practice: Follow the Principle of Least Privilege by opening only the ports and protocols absolutely necessary.
  • Network Access Control Lists (NACLs):
    • What they are: Act as stateless packet filters at the subnet level. They control traffic to and from a subnet.
    • Stateless: Inbound and outbound rules are evaluated separately; you must explicitly allow return traffic.
    • Allow and Deny rules: You can explicitly allow or deny traffic. Rules are processed in order (lowest numbered rule first).
    • Use Cases: Can be used as a secondary layer of defense in addition to Security Groups.

Traffic Flow Example: A request from the internet to your EC2 instance follows this path:

  1. Internet
  2. VPC
  3. Subnet (NACL Check)
  4. Instance (Security Group Check)

Scenario: You need to protect your web application running on EC2 instances. Only HTTPS traffic from the internet should reach your web servers. Your web servers need to communicate with a database in a private subnet, but the database should not be directly accessible from the internet.

Reflection Question: How do Security Groups (instance-level, stateful) and Network ACLs (subnet-level, stateless) fundamentally provide virtual firewall capabilities to control traffic flow and isolate resources within your VPC for basic network protection?