Security Groups & NACLs

Protecting Your VPC

The internet is a busy highway, and not all traffic is safe. To protect your AWS resources, AWS provides Security Groups and Network Access Control Lists (NACLs) — two layers of security that control which traffic gets in or out of your VPC. In this article, we’ll explore how Security Groups and NACLs work, their differences, and best practices for using them effectively.

---

What Are Security Groups?

A Security Group is like a virtual firewall that controls inbound and outbound traffic for AWS resources such as EC2 instances.

Key Features:

• Resource-Level Protection: Security Groups are attached to individual resources like EC2 instances or load balancers.
• Stateful: If an inbound rule allows traffic, the response is automatically allowed without an explicit outbound rule.
• Rule-Based: Security Groups use rules to define allowed traffic. Rules include:
  • Protocol: (e.g., TCP, UDP, ICMP)
  • Port Range: (e.g., 22 for SSH, 80 for HTTP)
  • Source/Destination: (e.g., a CIDR block or another security group)

---

Mental Model: Security Groups as Club Bouncers

Think of Security Groups as bouncers at the entrance to a club. They:

• Check who’s allowed in (inbound traffic).
• Ensure only authorized people leave with valuables (outbound traffic).
• Keep a "memory" of who is inside so return traffic doesn’t need additional approval (stateful behavior).

---

How to Set Up Security Groups

1. Go to the Security Groups Dashboard:

   • In the AWS Management Console, navigate to EC2 > Security Groups.

2. Create a New Security Group:

   • Name your group and associate it with a specific VPC.

3. Add Inbound Rules:

   • Define protocols, port ranges, and sources.
   • Example: Allow SSH (TCP, Port 22) from your office IP address only (203.0.113.0/24).

4. Add Outbound Rules:

   • Define protocols, port ranges, and destinations.
   • Example: Allow all outbound traffic (0.0.0.0/0) for updates or external communication.

5. Attach to Resources:

   • Assign the security group to your EC2 instance, load balancer, or other resources.

---

What Are Network Access Control Lists (NACLs)?

A Network Access Control List (NACL) is an optional layer of security for your VPC that acts at the subnet level.

Key Features:

• Subnet-Level Protection: NACLs apply to all resources in a subnet.
• Stateless: Rules for inbound and outbound traffic are evaluated separately.
• Rule-Based with Priorities:
  • Rules are numbered, and AWS evaluates them in order (lowest number first).
  • You must explicitly allow return traffic with outbound rules.

---

Mental Model: NACLs as Neighborhood Security Gates

Think of NACLs as the security gate for a neighborhood:

• They decide who can enter (inbound traffic) and leave (outbound traffic) the entire area.
• Each vehicle (traffic flow) is evaluated independently for both entry and exit (stateless behavior).

---

How to Set Up NACLs

1. Go to the VPC Dashboard:

   • In the AWS Management Console, navigate to VPC > Network ACLs.

2. Create a New NACL:

   • Name the NACL and associate it with a specific VPC.

3. Define Rules:

   • Add inbound and outbound rules with specific priorities.
   • Example: Allow HTTP (Port 80) and HTTPS (Port 443) traffic while blocking everything else.

4. Associate the NACL with a Subnet:

   • Under the Subnet Associations tab, select one or more subnets to apply the NACL.

5. Test Your Configuration:

   • Verify that only allowed traffic reaches the subnet’s resources.

---

Security Groups vs. NACLs

Key Differences:

• Scope:

  • Security Groups apply to individual resources (e.g., EC2 instances).
  • NACLs apply to entire subnets.

• Behavior:

  • Security Groups are stateful: allowing traffic in automatically allows return traffic.
  • NACLs are stateless: inbound and outbound traffic rules are evaluated separately.

• Rules:

  • Security Groups only allow "allow" rules.
  • NACLs allow both "allow" and "deny" rules.

• Evaluation Order:

  • Security Groups evaluate all rules simultaneously.
  • NACLs evaluate rules in numerical order (lowest to highest).

• Use Cases:

  • Use Security Groups for fine-grained resource-level control.
  • Use NACLs for broader subnet-level control.

---

Common Scenarios

1. Public Web Server

• Security Group:
  • Allow inbound HTTP (Port 80) and HTTPS (Port 443) from 0.0.0.0/0.
  • Allow SSH (Port 22) only from your office IP.
• NACL:
  • Allow inbound HTTP and HTTPS.
  • Block all other inbound traffic.

2. Private Database Server

• Security Group:
  • Allow inbound MySQL (Port 3306) traffic only from the application server’s security group.
• NACL:
  • Allow inbound MySQL traffic from the application subnet.
  • Block all other inbound traffic.

3. Mixed Subnets

• Public subnet with a NACL allowing inbound HTTP/HTTPS for web servers.
• Private subnet with a NACL allowing only outbound traffic via a NAT Gateway.

---

Troubleshooting Common Issues

1. Traffic Blocked Despite Open Security Group Rules

• Check the associated NACL. A "deny" rule in the NACL can override the Security Group.

2. Resources Not Accessible Internally

• Verify Security Group rules allow traffic from other Security Groups or subnets.

3. Return Traffic Not Working

• Remember that NACLs are stateless, so ensure outbound rules explicitly allow return traffic.

---

Big Words Defined

• Security Group: A virtual firewall that controls inbound and outbound traffic for individual resources.
• Network ACL (NACL): A subnet-level firewall that evaluates traffic with stateless rules.
• Stateful: Automatically allows return traffic for an inbound or outbound connection.
• Stateless: Requires explicit rules for both inbound and outbound traffic.
• Rule Priority: In NACLs, lower-numbered rules are evaluated first.

---

What’s Next?

Next, we’ll explore VPC Flow Logs — a tool for monitoring and troubleshooting traffic within your VPC.