Firewall in VPC

Understanding VPC Security Controls

ℹ️ What are VPC Security Controls?
Amazon VPC provides multiple security features that function as virtual firewalls, allowing you to precisely control network traffic at different layers of your infrastructure. The two primary security mechanisms are Security Groups and Network Access Control Lists (NACLs).

Security Groups

ℹ️ What is a Security Group?
A Security Group acts as a virtual firewall at the instance level, controlling inbound and outbound traffic for your Amazon EC2 instances. Security Groups provide stateful filtering, meaning return traffic is automatically allowed regardless of outbound rules.

⚠️ Important Considerations

  • Each EC2 instance can be associated with up to 5 Security Groups
  • Security Groups operate at the instance level, not at the subnet level
  • By default, all outbound traffic is allowed and all inbound traffic is denied
  • Security Group rules can reference other Security Groups, AWS services, or IP ranges

🔒 Security Note
Security Groups are stateful, meaning if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.

Network Access Control Lists (NACLs)

ℹ️ What is a Network ACL?
A Network ACL functions as an optional security layer for your VPC that acts as a firewall controlling traffic in and out of one or more subnets. Unlike Security Groups, NACLs operate at the subnet level and provide stateless filtering.

💡 Pro Tip
While Security Groups and NACLs can have similar rules, they work best together as complementary controls. Use Security Groups for fine-grained instance-level control and NACLs for broader subnet-level protection.

⚠️ Important Considerations

  • Each subnet must be associated with exactly one NACL (default or custom)
  • NACLs are stateless, requiring explicit rules for both inbound and outbound traffic
  • Rules are evaluated in numerical order, with lower numbers processed first
  • The default NACL allows all inbound and outbound traffic

Workshop Contents