You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Routing determines where traffic can go. Security groups and network ACLs (NACLs) determine whether it is allowed through. Together they form a layered defence — security groups protecting individual resources and NACLs protecting entire subnets. Understanding both, and the critical differences between them, is essential for building secure AWS architectures.
A security group acts as a virtual firewall for an instance (or more precisely, for an Elastic Network Interface). It controls inbound and outbound traffic at the instance level.
| Property | Detail |
|---|---|
| Level | Instance / ENI |
| Statefulness | Stateful — if inbound traffic is allowed, the return traffic is automatically allowed |
| Default inbound | All traffic denied |
| Default outbound | All traffic allowed |
| Rule type | Allow only — you cannot create deny rules |
| Rule evaluation | All rules evaluated (not ordered) |
| Applies to | Only instances assigned to the security group |
Each rule specifies:
| Field | Example |
|---|---|
| Type | SSH, HTTP, HTTPS, Custom TCP, All traffic |
| Protocol | TCP, UDP, ICMP, or All |
| Port range | 22, 80, 443, 3306, 0–65535, etc. |
| Source / Destination | CIDR block (10.0.0.0/16), another security group ID, or a prefix list |
Inbound rules:
| Type | Protocol | Port | Source | Purpose |
|---|---|---|---|---|
| HTTP | TCP | 80 | 0.0.0.0/0 | Public web traffic |
| HTTPS | TCP | 443 | 0.0.0.0/0 | Secure web traffic |
| SSH | TCP | 22 | 10.0.0.0/16 | Admin access from VPC only |
Outbound rules:
| Type | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
| All traffic | All | All | 0.0.0.0/0 | Allow all outbound |
One of the most powerful features is referencing another security group as a source or destination. Instead of specifying IP addresses, you say "allow traffic from any instance that belongs to security group sg-app":
| Type | Protocol | Port | Source |
|---|---|---|---|
| MySQL | TCP | 3306 | sg-app |
This means: only instances tagged with sg-app can connect to port 3306. If you add or remove instances from sg-app, the rule adapts automatically — no IP maintenance needed.
A Network ACL is a stateless firewall at the subnet level. Every subnet has exactly one NACL; a NACL can be associated with multiple subnets.
| Property | Detail |
|---|---|
| Level | Subnet |
| Statefulness | Stateless — inbound and outbound rules are evaluated independently |
| Default NACL | Allows all inbound and outbound traffic |
| Custom NACL | Denies all traffic until you add rules |
| Rule type | Both allow and deny rules |
| Rule evaluation | Rules processed in number order (lowest first); first match wins |
| Applies to | All instances in the associated subnet(s) |
NACL rules have a rule number (1–32766). Rules are evaluated from lowest number to highest, and the first matching rule is applied.
Example inbound NACL:
| Rule # | Type | Protocol | Port | Source | Action |
|---|---|---|---|---|---|
| 100 | HTTP | TCP | 80 | 0.0.0.0/0 | ALLOW |
| 110 | HTTPS | TCP | 443 | 0.0.0.0/0 | ALLOW |
| 120 | SSH | TCP | 22 | 10.0.0.0/16 | ALLOW |
| 200 | All traffic | All | All | 0.0.0.0/0 | DENY |
| * | All traffic | All | All | 0.0.0.0/0 | DENY |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.