Security Groups & NACLs Explained for DevOps Beginners
Learn how Security Groups and Network ACLs work inside AWS VPCs β with simple analogies, real DevOps scenarios, diagrams, and interview questions.
π― Target Audience: Beginners in DevOps & DevSecOps
π§ Key Concepts: Security Groups, NACLs, Stateful vs Stateless Traffic, VPC Security
π Series: AWS & Cloud Computing for DevOps Beginners
π Real-World Focus: How to control and secure network traffic inside AWS
Why This Matters in DevOps
When you deploy applications in AWS, youβre not just launching EC2 instances or RDS databases; you're building systems that communicate across networks.
And in networking, one wrong open port can become a security breach π.
So understanding how traffic is allowed, blocked, or filtered becomes critical.
In AWS, the two main traffic guards are:
| Layer | Name | Level | Behavior |
| Instance level | Security Groups (SGs) | Applied to EC2, RDS, etc. | Stateful |
| Subnet level | Network ACLs (NACLs) | Applied to Subnets | Stateless |
Letβs break them down simply and clearly.
1οΈβ£ What Are Security Groups?
π§ Explanation:
Security Groups are firewalls that protect individual AWS resources like:
EC2 instances
RDS databases
Load Balancers
ECS tasks
They control:
Inbound rules β what traffic is allowed IN
Outbound rules β what traffic is allowed OUT
β Default behavior:
- Everything is denied until you explicitly allow it.
π‘ Analogy:
Think of a Security Group as a bouncer at the door of each resource.
They only let in people on the list.
If someone is allowed in, they can leave freely (because SGs are stateful).
If inbound traffic is allowed, the response traffic is automatically allowed back out, no need to configure return rules.
π§ Example Security Group Rules
| Purpose | Direction | Protocol | Port | Source |
| Allow web traffic | Inbound | TCP | 80 | 0.0.0.0/0 |
| Allow SSH (admin) | Inbound | TCP | 22 | MyHomeIP |
| Allow DB access | Inbound | TCP | 3306 | WebServerSG |
| Allow all outbound traffic | Outbound | All | All | 0.0.0.0/0 |
π― Interview Q&A (Security Groups)
| Question | Answer |
| Are Security Groups stateful or stateless? | Stateful: return traffic is automatically allowed. |
| Do SGs allow or deny traffic? | They only allow traffic, no deny rules. |
| Can SGs reference other SGs instead of IPs? | Yes, this is best practice for internal communication. |
2οΈβ£ What Are NACLs (Network ACLs)?
π§ Explanation:
NACLs control traffic at the subnet level inside your VPC.
They act as a network boundary filter, controlling what traffic is allowed in and out of entire subnets.
Key Differences:
- NACLs are stateless. Meaning, if you allow incoming traffic, you must also explicitly allow the response traffic.
π‘ Analogy:
Think of NACLs as a security gate at the neighborhood entrance, while SGs are locks on individual houses.
π§ Example NACL Rules
| Rule # | Direction | Protocol | Port | Source/Destination | Action |
| 100 | Inbound | TCP | 80 | 0.0.0.0/0 | ALLOW |
| 110 | Inbound | TCP | 22 | MyHomeIP | ALLOW |
| 200 | Inbound | All | All | 0.0.0.0/0 | DENY |
| 100 | Outbound | All | All | 0.0.0.0/0 | ALLOW |
π― Interview Q&A (NACLs)
| Question | Answer |
| Are NACLs stateful or stateless? | Stateless: return traffic must be explicitly allowed. |
| Can NACLs allow and deny traffic? | Yes, unlike SGs, they support allow and deny rules. |
| Which is checked first: SG or NACL? | Traffic hits NACL first (subnet layer), then SG (instance layer). |
3οΈβ£ Security Groups vs NACLs: Quick Comparison
| Feature | Security Group | NACL |
| Level | Instance-level | Subnet-level |
| Stateful? | β Yes | β No |
| Allow rules? | β Yes | β Yes |
| Deny rules? | β No | β Yes |
| Best for | Tight resource access control | High-level subnet filtering |
4οΈβ£ Real DevOps Scenario: Web + Private Database Architecture
Why this works:
Web server is reachable from the internet β
Database is only reachable internally β
NACL provides network boundary protection β
SG provides resource-level protection β
π« Common Mistakes to Avoid
| Mistake | Better Practice |
Opening port 22 to 0.0.0.0/0 | Restrict SSH to your IP or use SSM Session Manager |
| Giving DB public access | Keep DB in private subnet |
| Using IP addresses between resources | Use Security Group references |
| Forgetting outbound rules | Allow outbound traffic unless you have strict control requirements |
β Quick Recap
Security Groups = resource-level firewall (stateful).
NACLs = subnet-level firewall (stateless).
Use SGs to allow specific communications.
Use NACLs for network-wide defense layers.
π§ͺ Mini Hands-On Lab Challenge
Try this in AWS:
Create a VPC with 2 subnets: Public + Private.
Launch:
Web server in Public Subnet
Database in Private Subnet
Configure:
SG-Web β allow
80+ your IP on port22SG-DB β allow
3306from SG-Web
Create a NACL:
Allow HTTP + SSH inbound in public subnet
Allow only MySQL inbound in private subnet
π If the DB only replies when accessed through the web server, you configured it correctly β
π¨βπ» Written by: Abdulrahman A. Muhamad
