1.3 VPC Security — Security Groups, NACLs, and VPC Endpoints
Key Takeaways
- Security groups are stateful firewalls at the instance/ENI level — allowed inbound traffic has its return traffic automatically permitted.
- Network ACLs (NACLs) are stateless firewalls at the subnet level — you must explicitly allow both inbound and outbound, including ephemeral return ports.
- VPC endpoints (Gateway and Interface) reach AWS services privately without the public internet, improving security and cutting NAT costs.
- Security groups support only Allow rules; NACLs support both Allow and Deny rules evaluated in number order.
- VPC Flow Logs capture IP-traffic metadata to CloudWatch Logs, S3, or Kinesis Data Firehose for monitoring and forensics.
Quick Answer: Security groups are stateful firewalls at the instance/ENI level with Allow-only rules. Network ACLs (NACLs) are stateless firewalls at the subnet level supporting Allow and Deny. VPC endpoints connect to AWS services privately. Layer all three for defense in depth.
Security Groups (SGs)
A security group is a virtual firewall attached to an Elastic Network Interface (ENI) — on EC2, RDS, Lambda-in-VPC, and more.
| Feature | Security Group Behavior |
|---|---|
| Level | Instance / ENI |
| State | Stateful — return traffic auto-allowed |
| Rules | Allow only (no Deny) |
| Default | Inbound denied, outbound allowed |
| Evaluation | All rules combined; any match permits |
| References | Can reference other security group IDs |
Because SGs are stateful, an inbound rule for port 443 automatically permits the response — you never write a matching outbound rule. A powerful pattern is chaining by SG reference: the database SG allows port 3306 from the app-tier SG ID, not from an IP range, so scaling the app tier needs no firewall edits.
| Tier | Inbound | Outbound |
|---|---|---|
| Web | 80/443 from 0.0.0.0/0 | to app-tier SG |
| App | 8080 from web-tier SG | to db-tier SG |
| DB | 3306 from app-tier SG | default (stateful) |
Network ACLs (NACLs)
A NACL is a stateless firewall at the subnet boundary.
| Feature | NACL Behavior |
|---|---|
| Level | Subnet |
| State | Stateless — allow inbound AND outbound separately |
| Rules | Allow and Deny |
| Default NACL | Allows all in and out |
| Custom NACL | Denies all until rules added |
| Evaluation | Lowest rule number first; first match wins |
Stateless means responses are not implied. If you allow inbound port 443, you must also allow outbound on ephemeral ports (1024–65535) so replies can leave, and vice versa.
| Rule # | Protocol | Port | Source | Action |
|---|---|---|---|---|
| 100 | TCP | 443 | 0.0.0.0/0 | ALLOW |
| 120 | TCP | 22 | 10.0.0.0/8 | ALLOW |
| 200 | All | All | 203.0.113.50/32 | DENY |
| * | All | All | 0.0.0.0/0 | DENY (implicit) |
On the Exam: "Block a single malicious IP from the whole subnet" → NACL Deny rule (security groups have no Deny). "Allow return traffic was blocked" → you forgot the ephemeral outbound NACL rule.
Side-by-Side
| Feature | Security Group | NACL |
|---|---|---|
| Scope | ENI | Subnet |
| State | Stateful | Stateless |
| Rules | Allow only | Allow + Deny |
| Order | All evaluated | First match wins |
| Block one IP | Cannot | Can |
VPC Endpoints
VPC endpoints let resources reach AWS services privately, bypassing the internet gateway, NAT gateway, and VPN.
| Type | Mechanism | Services | Cost |
|---|---|---|---|
| Gateway endpoint | Route-table target | S3 and DynamoDB only | Free |
| Interface endpoint | ENI with private IP (AWS PrivateLink) | Most services (SQS, SNS, KMS, CloudWatch, Secrets Manager, EC2 API…) | ~$0.01/hr/AZ + ~$0.01/GB |
Benefits: traffic stays on the AWS backbone (security/compliance), you avoid NAT gateway data-processing charges (~$0.045/GB), and latency drops. Gateway endpoints attach to route tables and can be locked down with endpoint policies; interface endpoints carry a private IP and support security groups, and can be reached from on-premises over Direct Connect or VPN.
On the Exam: "Private subnet must reach S3 with no internet" → Gateway endpoint (free). "Private access to SQS / KMS / Secrets Manager" → Interface endpoint (PrivateLink).
VPC Flow Logs
VPC Flow Logs record IP-traffic metadata at the VPC, subnet, or ENI level.
| Property | Detail |
|---|---|
| Destinations | CloudWatch Logs, S3, or Kinesis Data Firehose |
| Captures | Source/dest IP, ports, protocol, packets, bytes, ACCEPT/REJECT |
| Does NOT capture | Packet payloads, traffic to 169.254.169.254 metadata, DHCP, Amazon DNS, Windows license activation |
Use them for connectivity troubleshooting (look for REJECT), anomaly detection, and compliance audits. Remember they log metadata only — they are not a packet capture; for payload inspection use Network Firewall or Traffic Mirroring.
Reading a Connectivity Failure (worked example)
The exam loves "my instance cannot be reached" scenarios that hinge on the SG-vs-NACL interaction. Walk the path in order. Suppose a web server in a public subnet is unreachable on port 443 from the internet. Check, in sequence: (1) the route table has a route to the internet gateway; (2) the NACL allows inbound 443 AND outbound on ephemeral ports 1024–65535 — a missing ephemeral outbound rule is the single most common NACL mistake; (3) the security group allows inbound 443 from the client range.
If inbound works but responses vanish, the culprit is almost always the stateless NACL missing the return-path rule, because the stateful security group would have handled the return automatically.
A second classic: instance A can ping instance B but B cannot reply. Because security groups are stateful, an allowed inbound flow returns freely, so a one-way failure between two instances usually means a NACL is blocking the ephemeral return ports on one subnet, not the security group.
Choosing the Right Private-Connectivity Tool
VPC endpoints are only one option for private access. Match the requirement to the mechanism:
| Requirement | Mechanism |
|---|---|
| Private subnet → S3/DynamoDB, no internet | Gateway endpoint (free) |
| Private subnet → SQS/KMS/Secrets Manager | Interface endpoint (PrivateLink) |
| Private subnet → internet for OS updates only (outbound) | NAT gateway in a public subnet |
| Expose your own service to other VPCs/accounts privately | PrivateLink endpoint service |
| Connect many VPCs and on-premises at scale | Transit Gateway |
Cost trap: Architects often default to a NAT gateway for S3 access in a private subnet. A Gateway endpoint removes that NAT data-processing cost entirely and keeps the traffic off the internet — frequently the "most cost-effective and secure" answer.
Defense in Depth Summary
Layered network security combines these controls so that no single misconfiguration is catastrophic: NACLs provide a coarse subnet-level Allow/Deny filter (good for blocking IPs), security groups enforce fine-grained stateful instance rules (the workhorse), endpoints keep AWS-service traffic private, and Flow Logs provide the audit trail to detect and investigate anything that slips through.
A web application must block all traffic from one specific malicious IP address across an entire subnet. Which component should you use?
EC2 instances in a private subnet must read from Amazon S3 without any path to the public internet, at no additional charge. What should you implement?
What does "stateful" mean for a security group?
Which VPC endpoint type provides private access to Amazon SQS?