AWS Security Groups & NACLs - Overview & Hands-On.
Scope:
- Overview of Security Groups (SGs) & Network Access Control Lists (NACL),
- Architecture Diagram,
- Technical Behavior Security Groups (SGs),
- Sample Inbound Rules,
- Technical Behavior for Network ACLs (NACLs),
- Sample NACL Rules,
- How SGs & NACL Work Together,
- Sample Traffic flow for Inbound,
- Sample flow for Outbound,
- Common Misconfigurations & Troubleshooting For Inboud (Issues, Root Causes & Quick Fix),
- Sample Scenario Goal Inbound SG ,
- Sample Scenario Goal Outbound SG,
- Sample Scenario Goal for NACL Inbound,
- Sample Scenario Goal for NACL Outbound,
- Best Practices,
- Sample Security Architecture for Multi-tier App (Layer, Subnet, SG Rules, & NACL Rules),
- DevSecOps Integration (SG & NACL management)
- Project: Hands-On.
1. Overview of Security Groups (SGs) & Network Access Control Lists (NACL)
|
Feature |
Security
Groups (SGs) |
Network
ACLs (NACLs) |
|
Scope |
Attached to ENIs (Elastic Network
Interfaces), which belong to EC2 instances, Load Balancers,
etc. |
Associated with subnets in a VPC |
|
Layer |
Operates at the instance level
(ENI) |
Operates at the subnet level |
|
Statefulness |
Stateful – Return traffic is automatically allowed |
Stateless – Return traffic must be explicitly allowed |
|
Rules Type |
Only allow rules |
Allow and deny rules |
|
Default Behavior |
Denies all inbound traffic, allows
all outbound traffic |
Allows all inbound/outbound traffic (by default NACL) |
|
Evaluation Order |
All rules are evaluated together;
implicit deny if not matched |
Rules are evaluated in order,
starting from the lowest numbered rule |
|
Attached To |
ENIs (EC2, ALB, RDS, Lambda ENI, etc.) |
Subnets (affects all ENIs in subnet) |
2. Technical Behavior for Security Groups (SGs)
- Stateful:
- When twtech allows inbound TCP traffic
on port 22, the response
traffic (ephemeral ports) is automatically
allowed, even if no outbound rule allows it.
- Implicit deny:
- If a rule doesn’t explicitly allow
traffic, it’s dropped.
- Applied at the ENI level:
- An EC2 instance can have multiple SGs,
and rules are aggregated (union of
all allow rules).
- Rule evaluation:
- No priority numbers — all rules are
checked, and if any match, the packet is allowed.
Sample Inbound Rules:
- Type: SSH (22)
- Source: 203.0.113.0/24
- Means: Only that CIDR block can initiate SSH sessions.
- Outbound is allowed to anywhere (0.0.0.0/0) by default, but twtech can restrict it.
Technical Behavior for Network ACLs (NACLs)
- Stateless:
- twtech must create both inbound and outbound rules to allow bidirectional communication.
- Rule evaluation:
- Lowest numbered rule wins.
- Default NACL:
- Allows all inbound and outbound traffic.
- Custom NACL:
- Denies all inbound and outbound traffic by default until rules are added.
- Rules include an explicit DENY option.
Sample NACL Rules:
- Rule #100 ALLOW TCP 22 203.0.113.0/24
- Rule #200 DENY ALL ALL
NB:
- Here, SSH is allowed for the specified source, everything else denied.
3. How SGs & NACL Work Together
|
Layer |
Filtering |
Applied
To |
Sample |
|
|
NACL |
Subnet-level. |
Ingress/Egress for the entire subnet. |
Controls traffic entering/leaving
subnet |
|
|
SG |
Instance-level. |
ENI (interface). |
Controls traffic to/from specific
instance |
|
Sample Traffic
flow for Inbound:
- Packet enters VPC subnet.
- Inbound NACL evaluated (stateless).
- If allowed → reaches ENI.
- Security Group inbound rules evaluated (stateful).
- If allowed → packet delivered to
instance.
Sample flow for Outbound:
- Instance
sends packet.
- SG outbound rules checked (stateful).
- If allowed → passes
subnet boundary.
- Outbound NACL checked.
- If allowed → leaves VPC.
4. Common Misconfigurations &
Troubleshooting For Inboud (Issues, Root Causes & Quick Fix)
|
Issue |
Root
Cause |
Fix |
|
Can’t
SSH into EC2 |
SG inbound missing TCP:22 rule or
NACL denies it. |
Add inbound SG rule for TCP:22 and
ensure NACL allows it |
|
Web
app unreachable from internet |
SG inbound missing HTTP/HTTPS rule. |
Add SG inbound 80/443 from 0.0.0.0/0
(or CDN/WAF IPs) |
|
Traffic
blocked randomly |
Overlapping NACL rules, order issues. |
Check rule numbers and implicit DENY |
|
Return
traffic blocked |
NACL missing reverse-direction rule. |
Add matching outbound (for inbound) or inbound (for outbound) |
|
EFS
mount fails |
NACL or SG missing NFS (2049). |
Add TCP 2049 in both inbound and
outbound SG + NACL |
6. Sample Scenario Goal:
- Allow a web app on EC2 to be reachable on port 80 from anywhere.
Sample Scenario Goal for Inbound SG :
- Type: HTTP
- Protocol: TCP
- Port: 80
- Source: 0.0.0.0/0
Sample Scenario Goal for Outbound SG :
- Type: All Traffic
- Destination: 0.0.0.0/0
Sample Scenario Goal for NACL Inbound:
- Rule #100 ALLOW TCP 80 0.0.0.0/0
- Rule #200 ALLOW TCP 1024-65535 0.0.0.0/0
- Rule #300 DENY ALL
Sample Scenario Goal for NACL Outbound:
- Rule #100 ALLOW TCP 1024-65535 0.0.0.0/0
- Rule #200 ALLOW TCP 80 0.0.0.0/0
- Rule #300 DENY ALL
6. Best Practices
✅ Use Security Groups as twtech primary defense for EC2-level access control.
✅ Use NACLs for coarse-grained subnet-level boundaries (like DMZ vs. private subnets).
✅ Least privilege – open only required ports and IP ranges.
✅ Use descriptions in rules – document the reason for each port/IP.
✅ Avoid overly broad rules like 0.0.0.0/0 unless behind WAF, CDN, or VPN.
✅ Consider automation (Terraform, CloudFormation, AWS Config) for consistent SG/NACL rules.
✅ Enable VPC Flow Logs to trace blocked/allowed traffic for debugging.
7. Sample Security Architecture for Multi-tier App (layer, Subnet, SG Rules, & NACL Rules),
|
Layer |
Subnet |
SG
Rules |
NACL
Rules |
|
Public
(Web) |
Public Subnet |
Inbound 80/443 from Internet |
Inbound allow 80/443, outbound allow
ephemeral ports |
|
App |
Private Subnet |
Inbound 8080 from Web tier |
Inbound allow 8080 from Web subnet,
outbound allow 3306 |
|
DB |
Private Subnet |
Inbound 3306 from App tier |
Inbound allow 3306 from App subnet,
outbound allow ephemeral |
8. DevSecOps Integration (SG & NACL management):
- Use Terraform or Pulumi for IaC-based policy control.
- Use AWS Config rules for:
- restricted-ssh or restricted-common-ports.
- vpc-sg-open-only-to-authorized-ports.
- Use GuardDuty + Security Hub for anomaly detection on network access.
- Use Automated SG cleaner to remove unused rules.
Project: Hands-On
- How twtech uses the Network
Access Control List (NACL) and Security groups to assign a
client’s operating system (OS) for outbound connections in its environment.
Search for AWS service: Network ACLs
Step-1:
- From the EC2 console
- Start the Bastion Host (server):
Step-2:
- Install http package (app) in the Bastion Host Server with the command:
sudo yum install httpd -y
Step-3:
- Enable the webserver with a command.
- This creates a soft link for the httpd (app)
sudo systemctl enable httpd
Step-4:
- Start the webserver (app) with the command:
sudo systemctl start httpd
Step-5:
- Check status of the webserver (app) with the command:
sudo systemctl status httpd
Step-6:
- Switch to root user:
sudo su
- Redirect (>) some words into the httpd file: /var/www.html/index.html
echo "Hello From twtech NACL Team" > /var/www/html/index.html
NB:
- Redirect (>) overwrites content of the file.
- Append ( >>) adds content to existing content.
Step-7:
- Edit and add (allow just the required traffice port) HTTP(80) on the Bastion Host firewall (security group)
Edit security group:
From:
To:
- Save changes in inbound rules(SG)
Step-8:
- Return to EC2 console.
- Copy the Public IPv4 address of Bastion
Host ( Server where httpd is installed) to
access the webapp (httpd) on the browser.
From Google chrome browser:
Step-9:
- twtech demonstrates how NACL and Security group works togther, by:
- Editing the
inbound rules of DefaultNACL
From:
- Rule #100: Allows all traffic from anywhere
To:
- Rule # 80:
Deny only HTTP (80) traffic from anywhere.
- Remember to click on: Sort by rule numbers
From:
To:
- Save changes in NACL rules:
twtech explanation:
- From the above configuration, twtech has blockes the default NACL traffic to httpd client installed.
- To verify
behavior when default NACL traffic is
block.
- twtech needs to Return to the browse and try to access the httpd again.
- Default NACL is acting as the firewall and
blocks traffic to hpptd (app).
From:
To:
refresh page
Next :
- twtech edits the default NACL inbound rules:
To Rule # 140:
Deny all HTTP
(80) traffic from anywhere.
- Again,
- Accessing the httpd from browser is blocked by default NACL
From:
- How twtech demonstrates the behavior of default NACL Outbound Rules To Traffic.
Rule #100 only: Allow
all traffic from anywhere
To:
Rule #100 only: Deny
all traffic from anywhere
Save changes:
- twtech Tries to access the app on the browser again to see the behavior.
- All traffic is denied on the outbound rule of default NACL
- Accessing
the httpd (app) from the browser is blocked by default NACL is blocked
From:
twtech Final thoughts:
- NACL and Security group work
together.
- Default NACL rules (inbound) may affect the behavior of traffic
irrespective of the right Port assigned at the firewall (security group)
- For troubleshooting network
issues, make sure the right (needed)
ports is opened on the Security group ( firewall) as well as make sure the right
configuration (Rule# / Acess deny or
Allow) is assigned on the NACL (inbound/outbound) rules
Restoring traffic to httpd:
- Check the security group of the
Bastion Host server (where
httpd is installed)
- Check both the NACL inbound /
outbound Rules for proper configuration.
- twtech demonstration on outbound rule behavior to traffic for the applications:
Edit:
From:
To: Delete
rule that allows all outbound (outgoing) traffic.
Save changes: No outbound rules
- twtech can still access the http application on the browser.
- Because the outbound rule has no impact to
traffic if not assigned (Stateless)
twtech explanation:
- The inbound rule is stateful (does not change except altered).
- But outbound rule is statelss (if traffic is allow in the inbound rule, the outbound rule will return traffic Normally without being affected)
No comments:
Post a Comment