Security Groups and NACLs
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering VPC Security: Security Groups and Network ACLs
Introduction: The Foundation of Cloud Networking
In the modern era of cloud computing, the Virtual Private Cloud (VPC) acts as your private, isolated section of the cloud provider’s network. When you launch resources—such as virtual machines, databases, or load balancers—into this environment, you are essentially building a digital data center. However, just like a physical data center, a VPC is useless if it is not properly guarded. Without robust security controls, your resources are exposed to the public internet, making them vulnerable to unauthorized access, data theft, and malicious traffic.
Security Groups and Network Access Control Lists (NACLs) are the two primary mechanisms provided to manage traffic flow within your VPC. Think of these as the security guards of your infrastructure. Security Groups act like the security guard at the door of a specific room, checking the identity and permissions of anyone trying to enter. Network ACLs, on the other hand, act like the security gate at the perimeter of the building, checking everyone who enters or leaves the entire property. Understanding how these two layers work together is the most critical step in securing your cloud architecture.
This lesson explores the technical nuances of these two tools, how they differ, and how to implement them effectively to build a hardened environment. By mastering these concepts, you will move beyond basic connectivity and begin designing infrastructure that is resilient, predictable, and secure by default.
Understanding Security Groups: The Statefull Firewall
A Security Group acts as a virtual firewall for your instances or other resources. It controls both inbound and outbound traffic at the interface level. The most important characteristic of a Security Group is that it is stateful. This means that if you send a request from your instance, the response traffic for that request is allowed to flow back in automatically, regardless of any inbound rules. You do not need to explicitly configure inbound rules for return traffic.
The Mechanics of Security Groups
When you create a Security Group, you start with no inbound rules by default, meaning all inbound traffic is blocked. Conversely, all outbound traffic is allowed by default. You add rules to explicitly allow traffic based on protocol, port range, and source or destination.
- Inbound Rules: These control the traffic coming into your resource. You specify the source (which could be an IP range, another Security Group, or a prefix list), the protocol (TCP, UDP, ICMP), and the port range.
- Outbound Rules: These control the traffic leaving your resource. While often left as "allow all" for many internal applications, you can restrict this to prevent your instances from communicating with unauthorized external servers, which is a key defense against data exfiltration.
Callout: Stateful vs. Stateless Explained The fundamental difference between a Security Group and a NACL lies in statefulness. A stateful firewall tracks the state of connections. If you allow an outbound connection to an external web server, the firewall remembers that connection and automatically permits the response packets to return. A stateless firewall, however, does not track connections. It treats every packet independently. If you send a request out, you must have a corresponding rule to allow the response packets to come back in.
Practical Example: The Web Tier
Imagine you are deploying a web server that needs to accept HTTP and HTTPS traffic from the internet and SSH traffic from your office IP address. Your Security Group rules would look something like this:
| Type | Protocol | Port Range | Source | Description |
|---|---|---|---|---|
| HTTP | TCP | 80 | 0.0.0.0/0 | Allow web traffic |
| HTTPS | TCP | 443 | 0.0.0.0/0 | Allow secure web traffic |
| SSH | TCP | 22 | 203.0.113.5/32 | Allow admin access from office |
In this configuration, your server will accept web requests from anyone, but only allow SSH access from your specific office IP. Because the Security Group is stateful, the server will correctly respond to these requests without needing extra rules for the return traffic.
Understanding Network ACLs (NACLs): The Stateless Perimeter
Network ACLs provide a secondary layer of security at the subnet level. Unlike Security Groups, which live at the instance level, NACLs govern all traffic entering or leaving an entire subnet. NACLs are stateless, which introduces a higher level of complexity when configuring them.
The Mechanics of NACLs
A NACL consists of a numbered list of rules that are evaluated in order, starting from the lowest rule number. The first rule that matches a packet’s criteria is applied, and no further rules are evaluated. This makes the order of your rules extremely important.
- Rule Numbers: You can define rules from 1 to 32,766. It is a best practice to leave gaps between your rule numbers (e.g., 100, 200, 300) so you can easily insert new rules later without having to renumber everything.
- Inbound and Outbound Rules: Because NACLs are stateless, you must explicitly allow both the request and the response. If you allow HTTP traffic (port 80) in, you must also have an outbound rule that allows traffic on the ephemeral ports (typically 1024–65535) to go back out.
Note: Ephemeral ports are the range of ports used by a client when initiating a connection. When a server responds, it sends the response to the client's ephemeral port. If your NACL does not allow traffic to these ports, your connections will time out.
Practical Example: Configuring a NACL for a Web Subnet
If your web subnet contains instances that need to talk to the internet, your NACL inbound and outbound rules must account for the ephemeral return traffic.
Inbound Rules:
- Rule 100: Allow TCP 80 (From 0.0.0.0/0)
- Rule 110: Allow TCP 443 (From 0.0.0.0/0)
- Rule 120: Allow TCP 1024-65535 (From 0.0.0.0/0 - for return traffic)
Outbound Rules:
- Rule 100: Allow TCP 80 (To 0.0.0.0/0)
- Rule 110: Allow TCP 443 (To 0.0.0.0/0)
- Rule 120: Allow TCP 1024-65535 (To 0.0.0.0/0 - for return traffic)
Without Rule 120 in both directions, your web server would receive the request from the user, but it would be unable to send the HTML page back because the return traffic would be blocked by the stateless nature of the NACL.
Comparing Security Groups and NACLs
To visualize the differences, consider this comparison table:
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance Level | Subnet Level |
| State | Stateful | Stateless |
| Rules | All rules are applied | Evaluated in order (number) |
| Default | Deny all by default | Allow all by default |
| Scope | Can reference other groups | IP/CIDR ranges only |
When to use which?
Security Groups are your primary tool for day-to-day traffic management. They are easier to manage because they are stateful and can reference other Security Groups (e.g., "Allow traffic from the Web-Server-SG"). Use NACLs as a "safety net" or a broad perimeter defense. For example, if you know that a specific IP range is malicious and trying to brute-force your entire VPC, you can use a NACL to block that range at the subnet level, effectively dropping their packets before they ever reach your individual instances.
Best Practices for VPC Security
1. Principle of Least Privilege
Always start with a "deny all" posture and only open the specific ports required for your application to function. Never use 0.0.0.0/0 (the entire internet) unless you are serving public-facing content. For administrative tasks like SSH or RDP, restrict access to your specific office or VPN IP addresses.
2. Use Descriptive Names and Tags
In a large environment, you will have dozens or hundreds of Security Groups. Using a naming convention such as app-name-env-role (e.g., payroll-prod-web) helps you quickly identify what a group does. Tags are also essential for cost tracking and security auditing.
3. Leverage Security Group Referencing
Instead of hardcoding IP addresses into your rules, reference other Security Groups. For example, configure your database Security Group to only accept traffic from the application server’s Security Group. If your application server’s IP changes, the rule remains valid because it is tied to the group identity rather than the IP address.
4. Regularly Audit Rules
Over time, Security Groups become cluttered with "temporary" rules that were never removed. Conduct quarterly audits to identify and delete unused rules. Automated tools or scripts can help scan your environment for overly permissive rules, such as port 22 open to the world.
5. Use NACLs for Broad Filtering
Treat NACLs as a coarse-grained filter. Use them to block entire geographic regions or malicious IP ranges that have been identified by your threat intelligence feeds. Do not attempt to use NACLs for fine-grained application-level security, as the stateless nature makes them prone to configuration errors.
Common Pitfalls and How to Avoid Them
Pitfall 1: The "Open Everything" Rule
A common mistake is setting up a Security Group with an "Allow All" rule for all traffic to troubleshoot connectivity issues. While this solves the problem, it leaves your resource completely exposed.
- The Fix: Use the VPC Reachability Analyzer or flow logs to identify exactly where the connection is failing instead of opening the floodgates.
Pitfall 2: Forgetting Ephemeral Ports in NACLs
As mentioned earlier, forgetting to allow the return traffic in a NACL is the number one cause of "silent" connection failures.
- The Fix: Always verify your NACL rules against your intended traffic flow. If you are allowing outbound traffic, ensure you have a corresponding inbound rule for the ephemeral port range (typically 1024-65535).
Pitfall 3: Over-reliance on NACLs
Some engineers attempt to manage all security through NACLs, thinking it is "more secure" because it is at the subnet level. This is a mistake because NACLs are difficult to manage for complex applications and lack the ability to reference other resources.
- The Fix: Stick to Security Groups for 95% of your traffic control needs. Reserve NACLs for broad, subnet-wide security requirements.
Pitfall 4: Ignoring Outbound Traffic
Many teams focus exclusively on inbound traffic. However, if an instance is compromised, an attacker will try to reach out to a Command and Control (C2) server to download malicious payloads or exfiltrate data.
- The Fix: Restrict outbound traffic to only the services your application needs (e.g., specific API endpoints or database clusters).
Step-by-Step: Implementing a Secure Three-Tier Architecture
To put this into practice, let's look at how you would secure a standard three-tier architecture: Web, Application, and Database.
Step 1: Create the Security Groups
- Web-SG: Allow Inbound 80/443 from
0.0.0.0/0. - App-SG: Allow Inbound traffic on the application port (e.g., 8080) from the Web-SG.
- DB-SG: Allow Inbound traffic on the database port (e.g., 5432) from the App-SG.
Step 2: Configure the NACLs
- Ensure your NACLs allow traffic between the subnets. If your Web tier is in a public subnet and your App/DB tiers are in private subnets, your NACLs must allow the specific ports to flow between those subnets.
- Set the default NACL rule (32766) to deny all.
Step 3: Verify Flow
Use the following logic to test your configuration:
- Can I reach the Web tier from my browser? (Should work)
- Can I reach the App tier from the Web tier? (Should work)
- Can I reach the DB tier from the Web tier? (Should fail—this confirms your security architecture is working as intended).
Code Snippet: Infrastructure as Code (Terraform)
Using Infrastructure as Code (IaC) is the gold standard for managing security. It allows you to peer-review your security changes before they are applied. Here is an example of how to define a secure Security Group in Terraform:
# Security Group for the Web Tier
resource "aws_security_group" "web_sg" {
name = "web-server-sg"
description = "Allow HTTP/HTTPS traffic"
vpc_id = var.vpc_id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Security Group for the App Tier (referencing the Web SG)
resource "aws_security_group" "app_sg" {
name = "app-server-sg"
vpc_id = var.vpc_id
ingress {
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = [aws_security_group.web_sg.id]
}
}
In this code, notice how the app_sg references aws_security_group.web_sg.id. This creates a dynamic link between the two. If you update the web security group, the application tier automatically understands which traffic to accept.
Advanced Troubleshooting: VPC Flow Logs
Sometimes, even when you think your rules are correct, traffic is blocked. This is where VPC Flow Logs become your best friend. Flow logs capture information about the IP traffic going to and from network interfaces in your VPC.
To troubleshoot:
- Enable Flow Logs for your VPC or specific subnets.
- Look for "REJECT" entries in the logs.
- Analyze the source and destination IPs, ports, and protocols to identify which rule is causing the drop.
If you see a "REJECT" for traffic you expect to be allowed, it is almost certainly a missing NACL rule or an incorrectly configured Security Group ingress/egress rule.
Callout: Security Groups and NACLs are NOT enough While Security Groups and NACLs are essential, they do not inspect the content of the traffic. They only check headers (IP, port, protocol). If an attacker sends a malicious SQL injection request over port 80, a Security Group will allow it because it is "web traffic." For deep packet inspection, you need additional services like Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS).
FAQ: Common Questions
Q: Can I have multiple Security Groups on one instance? A: Yes. You can associate multiple Security Groups with a single network interface. The rules are additive; if any one of the groups allows the traffic, it is permitted.
Q: What happens if I delete a Security Group that is in use? A: You cannot delete a Security Group if it is associated with a running resource. You must first remove the association from the resource or terminate the resource.
Q: Are NACLs required? A: Every subnet has a default NACL. While you can leave it as "Allow All" for both inbound and outbound, it is considered a best practice to at least restrict management ports or implement deny rules for known bad actors.
Q: How do I handle ephemeral ports for custom applications? A: If your application uses a non-standard range for its responses, ensure your NACL rules specifically open that range. If you are unsure, you can use flow logs to see which ports are being attempted and blocked.
Summary and Key Takeaways
Securing your VPC is an ongoing process of refining rules, monitoring traffic, and adhering to the principle of least privilege. By understanding the distinct roles of Security Groups and NACLs, you can create a defense-in-depth strategy that protects your infrastructure at both the resource and the perimeter levels.
Key Takeaways:
- Security Groups are Stateful: They track connections and automatically allow return traffic. They should be your primary tool for managing resource-level access.
- NACLs are Stateless: They require explicit rules for both inbound and outbound traffic, including the ephemeral port ranges used for responses.
- Prioritize Least Privilege: Always restrict access to the absolute minimum required. Use Security Group referencing instead of hardcoded IP addresses whenever possible.
- Use IaC for Consistency: Manage your security configurations using code (Terraform, CloudFormation) to ensure they are version-controlled, auditable, and repeatable.
- Leverage Flow Logs for Troubleshooting: Don't guess why traffic is being blocked. Use VPC Flow Logs to see exactly what is being rejected and why.
- Layer Your Defenses: Remember that VPC security is only one part of the puzzle. Always supplement your network controls with application-level security and robust identity management.
- Audit Regularly: Security is not "set and forget." Regularly review your rules, remove unused entries, and update your policies to match the evolving needs of your applications.
By internalizing these principles and applying them to your daily work, you will build infrastructure that is not only functional but inherently secure. The goal is to create an environment where developers can deploy quickly, but with the confidence that the underlying network architecture is protecting the organization's most valuable assets.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons