A web application needs to block traffic from a specific malicious IP address. Which component should you use?

Network ACL with a Deny rule for the IP. Only NACLs support Deny rules. Security groups only support Allow rules, so they cannot explicitly block a specific IP. NACLs operate at the subnet level and evaluate rules in number order, making them ideal for IP-based blocking.

A company wants EC2 instances in a private subnet to access S3 without internet access. What should they use?

Gateway VPC endpoint for S3. A Gateway VPC endpoint for S3 is the best choice. It is free, keeps traffic within the AWS network, and requires no internet gateway or NAT device. It simply adds a route table entry that directs S3 traffic to the endpoint.

What does "stateful" mean in the context of security groups?

Return traffic is automatically allowed if inbound traffic is permitted. Stateful means that if you allow inbound traffic, the return (response) traffic is automatically allowed regardless of outbound rules. This is the key difference from NACLs, which are stateless and require explicit rules for both directions.

Which VPC endpoint type should you use for private access to Amazon SQS?

Interface endpoint (PrivateLink). Interface endpoints (powered by AWS PrivateLink) support most AWS services including SQS, SNS, KMS, and CloudWatch. Gateway endpoints only support S3 and DynamoDB.

VPC Security — Security Groups, NACLs, and VPC Endpoints

Quick Answer: Security groups are stateful firewalls at the instance level (Allow rules only). NACLs are stateless firewalls at the subnet level (Allow and Deny rules). VPC endpoints let you connect to AWS services privately without internet access. Layer all three for defense in depth.

Security Groups (SGs)

Security groups act as virtual firewalls for EC2 instances, RDS instances, Lambda functions (in VPC), and other resources.

Key Characteristics

Feature	Security Group Behavior
Level	Instance (ENI) level
State	Stateful — return traffic automatically allowed
Rules	Allow only — no Deny rules
Default	All inbound denied, all outbound allowed
Evaluation	All rules evaluated before decision
Changes	Take effect immediately
Association	Multiple SGs per instance; multiple instances per SG

Stateful Explained

If you create an inbound rule allowing HTTP on port 80, the response traffic going back out on port 80 is automatically allowed without an outbound rule. This is what "stateful" means.

Security Group Best Practices

Use descriptive names (e.g., "web-server-sg", "database-sg")
Reference other security groups instead of IP addresses when possible
Keep rules as restrictive as possible (least privilege)
Separate security groups by function (web tier, app tier, database tier)

Common Security Group Patterns

Tier	Inbound Rules	Outbound Rules
Web tier	Port 80/443 from 0.0.0.0/0	All traffic to app tier SG
App tier	Port 8080 from web-tier-sg	All traffic to db-tier-sg
DB tier	Port 3306 from app-tier-sg	None needed (stateful)

Network ACLs (NACLs)

NACLs are stateless firewalls at the subnet level. They are an additional layer of defense beyond security groups.

Key Characteristics

Feature	NACL Behavior
Level	Subnet level
State	Stateless — must allow both inbound AND outbound
Rules	Allow AND Deny rules
Default	Allows all inbound and outbound (default NACL)
Evaluation	Rules evaluated in number order (lowest first); first match wins
Association	One NACL per subnet; one NACL can apply to many subnets

Stateless Explained

If you allow inbound HTTP on port 80, you MUST also create an outbound rule allowing the response traffic on ephemeral ports (1024-65535). Without the outbound rule, responses are blocked.

NACL Rule Evaluation

Rules are evaluated from lowest number to highest. The first match wins.

Rule #	Type	Protocol	Port Range	Source	Allow/Deny
100	HTTP	TCP	80	0.0.0.0/0	ALLOW
110	HTTPS	TCP	443	0.0.0.0/0	ALLOW
120	SSH	TCP	22	10.0.0.0/8	ALLOW
200	All Traffic	All	All	203.0.113.50/32	DENY
*	All Traffic	All	All	0.0.0.0/0	DENY

On the Exam: If a question asks "how to BLOCK a specific IP address from accessing your VPC," the answer is NACL (not security group) because only NACLs support Deny rules.

Security Groups vs. NACLs Comparison

Feature	Security Group	NACL
Level	Instance (ENI)	Subnet
State	Stateful	Stateless
Rule types	Allow only	Allow and Deny
Default	Deny all in, allow all out	Allow all in and out
Evaluation	All rules evaluated	First match wins (number order)
Block specific IPs	Cannot (no Deny)	Can (supports Deny rules)
Use case	Primary instance firewall	Additional subnet-level filtering

VPC Endpoints

VPC endpoints allow you to privately connect your VPC to AWS services without traversing the internet, NAT gateway, or VPN.

Types of VPC Endpoints

Type	Description	Services	Cost
Gateway Endpoint	Route table entry pointing to AWS service	S3 and DynamoDB only	Free
Interface Endpoint	ENI with private IP in your subnet (powered by AWS PrivateLink)	Most AWS services (SQS, SNS, KMS, CloudWatch, etc.)	Per hour + per GB

Why Use VPC Endpoints?

Security — Traffic stays within the AWS network, never touches the internet
Cost — No need for NAT gateway (saves $0.045/GB data processing charges)
Performance — Lower latency than routing through internet gateway
Compliance — Meet requirements that prohibit data traversing the public internet

Gateway Endpoint for S3

Free to use
Specified in route table as a target
Supports S3 bucket policies that restrict access to specific VPC endpoints
Does NOT require an internet gateway, NAT device, or VPN

Interface Endpoint (PrivateLink)

Creates an Elastic Network Interface (ENI) in your subnet
Has a private IP address from your subnet range
Supports security groups for access control
Can be accessed from on-premises via VPN/Direct Connect

On the Exam: "A company wants to ensure S3 traffic never traverses the public internet" → Gateway VPC Endpoint for S3. "A company needs private access to SQS from within their VPC" → Interface VPC Endpoint.

VPC Flow Logs

VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC.

Feature	Description
Levels	VPC, subnet, or ENI level
Destination	CloudWatch Logs, S3, or Kinesis Data Firehose
Content	Source/dest IP, ports, protocol, action (ACCEPT/REJECT), bytes
NOT captured	DNS traffic, DHCP, metadata (169.254.169.254), Windows license activation

Use cases:

Troubleshoot connectivity issues
Monitor traffic patterns
Detect anomalous traffic (security monitoring)
Compliance auditing

AWS Solutions Architect Associate

1.3 VPC Security — Security Groups, NACLs, and VPC Endpoints

Key Takeaways

VPC Security — Security Groups, NACLs, and VPC Endpoints

Security Groups (SGs)

Key Characteristics

Stateful Explained

Security Group Best Practices

Common Security Group Patterns

Network ACLs (NACLs)

Key Characteristics

Stateless Explained

NACL Rule Evaluation

Security Groups vs. NACLs Comparison

VPC Endpoints

Types of VPC Endpoints

Why Use VPC Endpoints?

Gateway Endpoint for S3

Interface Endpoint (PrivateLink)

VPC Flow Logs

AWS Solutions Architect Associate

1Introduction

2Domain 1: Design Secure Architectures (30%)

3Domain 2: Design Resilient Architectures (26%)

4Domain 3: Design High-Performing Architectures (24%)

5Domain 4: Design Cost-Optimized Architectures (20%)

6VPC and Networking Deep Dive

7Migration, Transfer, and Hybrid Services

8Serverless Architecture and Application Services

9Advanced Topics and Exam Scenarios

1.3 VPC Security — Security Groups, NACLs, and VPC Endpoints

Key Takeaways

VPC Security — Security Groups, NACLs, and VPC Endpoints

Security Groups (SGs)

Key Characteristics

Stateful Explained

Security Group Best Practices

Common Security Group Patterns

Network ACLs (NACLs)

Key Characteristics

Stateless Explained

NACL Rule Evaluation

Security Groups vs. NACLs Comparison

VPC Endpoints

Types of VPC Endpoints

Why Use VPC Endpoints?

Gateway Endpoint for S3

Interface Endpoint (PrivateLink)

VPC Flow Logs