2.5 Network Security
Key Takeaways
- Security Groups are stateful virtual firewalls at the instance level — if inbound traffic is allowed, the response is automatically allowed.
- Network ACLs (NACLs) are stateless firewalls at the subnet level — you must explicitly allow both inbound AND outbound traffic.
- Security Groups only support Allow rules; NACLs support both Allow and Deny rules.
- A VPC (Virtual Private Cloud) is an isolated virtual network within AWS where you deploy resources.
- AWS PrivateLink enables private connectivity between VPCs and AWS services without exposing traffic to the public internet.
Network Security
Security Groups vs. Network ACLs
Understanding the difference between Security Groups and Network ACLs (NACLs) is critical for the exam. Both control network traffic, but they work differently.
Security Groups (Instance-Level Firewall)
Security Groups act as a virtual firewall at the instance level (specifically, at the network interface level).
| Feature | Detail |
|---|---|
| Level | Instance (network interface) |
| Stateful | Yes — return traffic is automatically allowed |
| Rules | Allow rules ONLY (no Deny rules) |
| Default | Denies all inbound, allows all outbound |
| Evaluation | All rules evaluated before deciding |
| Association | Attached to instances; an instance can have multiple security groups |
Network ACLs (Subnet-Level Firewall)
Network ACLs act as a firewall at the subnet level. All traffic entering or leaving a subnet is evaluated against the NACL rules.
| Feature | Detail |
|---|---|
| Level | Subnet |
| Stateful | No — stateless; you must define both inbound AND outbound rules |
| Rules | Both Allow AND Deny rules |
| Default | Allows all inbound and outbound traffic |
| Evaluation | Rules evaluated in order by rule number (lowest first); first match wins |
| Association | One NACL per subnet; a NACL can be associated with multiple subnets |
Head-to-Head Comparison
| Feature | Security Group | Network ACL |
|---|---|---|
| Operates at | Instance level | Subnet level |
| Supports | Allow rules only | Allow AND Deny rules |
| Stateful? | Yes | No |
| Rule evaluation | All rules evaluated | Rules evaluated in number order |
| Default behavior | Deny all inbound | Allow all inbound and outbound |
On the Exam: The most common question pattern is asking you to differentiate between Security Groups and NACLs. Remember: Security Groups = stateful + instance level + Allow only. NACLs = stateless + subnet level + Allow AND Deny.
VPC Fundamentals
A Virtual Private Cloud (VPC) is a logically isolated virtual network in AWS. Key components include:
| Component | Description |
|---|---|
| Subnets | Subdivisions of a VPC within an AZ (public or private) |
| Route Tables | Rules that determine where network traffic is directed |
| Internet Gateway | Connects the VPC to the internet (for public subnets) |
| NAT Gateway | Allows private subnet resources to access the internet without being publicly accessible |
| VPC Peering | Private connection between two VPCs |
| VPC Endpoints | Private connection from VPC to AWS services without using the internet |
Public vs. Private Subnets
| Subnet Type | Internet Access | Use Cases |
|---|---|---|
| Public | Direct access via Internet Gateway | Web servers, load balancers, bastion hosts |
| Private | No direct access (uses NAT Gateway for outbound) | Databases, application servers, backend services |
Encryption in Transit
Encryption in transit protects data as it moves between systems:
| Method | Description |
|---|---|
| SSL/TLS | Encrypts web traffic (HTTPS) — used by most AWS services |
| VPN | Encrypted tunnel between on-premises and AWS |
| AWS PrivateLink | Private connectivity to AWS services without internet exposure |
| AWS Direct Connect + MACsec | Encrypted dedicated connection |
AWS Network Security Services
| Service | Purpose |
|---|---|
| AWS Network Firewall | Managed network firewall for VPC traffic filtering |
| AWS PrivateLink | Private connectivity between VPCs and services |
| AWS Direct Connect | Dedicated private network connection to AWS |
| AWS VPN | Encrypted connection over the internet |
| AWS Transit Gateway | Connect multiple VPCs and on-premises networks through a central hub |
What is the key difference between Security Groups and Network ACLs?
A company wants to allow resources in a private subnet to access the internet for software updates, without making them publicly accessible. What should they use?
By default, a new Security Group:
Which statement about Security Groups is correct?
Which VPC component allows resources in a private subnet to access the internet for outbound traffic only?
A company needs to privately connect their VPC to Amazon S3 without traffic going over the internet. Which type of VPC Endpoint should they use?
What is the purpose of AWS PrivateLink?