[AWS] VPC – Security

VPCs can be protected with 2 layers of firewalls; One for a subnet (NACL) and another for an instance (Security Group).

Network Access Control List (NACL)


  • NACL controls the traffic across the boundary of subnets.
    • Any traffic inside subnet is not affected by NACL.
    • A NACL can be attached to many subnets.
    • A subnet can be associated with only 1 NACL.
  • NACL operates at Layer 4 (Transport – TCP/UDP) – Stateless (state is a session-layer concept).
    • For a given inbound rules, the corresponding outbound rules should be allowed.
  • A subnet must be associated with a NACL, which only impacts traffic crossing the boundary of a subnet.
  • NACL is a collection of rules that can explicitly allow or deny traffic based on its protocol, port range, and source/destination.
    • Rules are processed in numbered order, lowest first.
    • You can only reference CIDR range.
    • When a match is found, the processing stops. The “*” rule is processed last.
    • The default is an implicit deny. (catch-all deny)
  • NACL has two sets of rules:
    • Inbound: From outside of a subnet to inside
    • Outbound: From inside of a subnet to outside
  • In general, you need to use NACL (not security groups) to block specific IP addresses.

Default NACL

  • A default VPC has a default NACL, which allows all inbound and outbound traffics.
Default NACL in a default VPC

Custom NACL

  • Custom network ACL denies all inbound and outbound traffics.
    • Custom NACL does not have Rule #100 that allows all traffic.

Ephemeral Ports

  • When a client initiates communication with a server, it uses the well-known port numbers, but the response might use the different (ephemeral) port on the client.
  • Port range: 1024-65535
  • NACL outbound rules should allow this.

Security Groups

A Security Group is a virtual (software) firewall that can be attached to ENI (Elastic Network Interfaces) – EC2, RDS, Lambda in VPC, etc.


  • Each group has inbound rules and outbound rules.
  • A security group has a hidden (implicit/default) Deny rule.
  • A security group can reference by CIDR and security group id.
  • Only allow rules can be specified, and it cannot explicitly deny traffic.
    • You cannot block specific IPs using security group.
  • Security groups are Stateful, which means that for any allowed traffic, the return traffic is automatically enabled. (OSI Layer 5 – Session)
  • Security group can be shared across two VPCs in the same region.
  • Changes to security groups take effect immediately.
  • You can attach multiple security groups to an EC2 instance.
    • Each ENI is allowed up to 5 security groups.
  • You can have any number of EC2 instances within a security group.

Default Security Group

  • A default VPC creates a default security group.
    • It disallows all inbound traffic except from the same security group.
      • Allows all traffic between instances in the same security group
    • It allows all outbound traffic.
Default security group – inbound rules
Default security group – outbound rules

Custom Security Group

  • A new Security Group has different rules.
    • It denies all inbound traffic.
    • It allows all outbound traffic.
New security group – inbound rules

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s