AWS Security Groups and Network ACLs
👋 Hi there! I'm Balaji S, a passionate technologist with a focus on AWS, Linux, DevOps, and Kubernetes.
💼 As an experienced DevOps engineer, I specialize in designing, implementing, and optimizing cloud infrastructure on AWS. I have a deep understanding of various AWS services like EC2, S3, RDS, Lambda, and more, and I leverage my expertise to architect scalable and secure solutions.
🐧 With a strong background in Linux systems administration, I'm well-versed in managing and troubleshooting Linux-based environments. I enjoy working with open-source technologies and have a knack for maximizing performance and stability in Linux systems.
⚙️ DevOps is my passion, and I thrive in bridging the gap between development and operations teams. I automate processes, streamline CI/CD pipelines, and implement robust monitoring and logging solutions to ensure continuous delivery and high availability of applications.
☸️ Kubernetes is a key part of my toolkit, and I have hands-on experience in deploying and managing containerized applications in Kubernetes clusters. I'm skilled in creating Helm charts, optimizing resource utilization, and implementing effective scaling strategies for microservices architectures.
📝 On Hashnode, I share my insights, best practices, and tutorials on topics related to AWS, Linux, DevOps, and Kubernetes. Join me on my journey as we explore the latest trends and advancements in cloud-native technologies.
✨ Let's connect and dive into the world of AWS, Linux, DevOps, and Kubernetes together!
AWS Security Groups and Network ACLs: Benefits, Use Cases & Security Importance
When designing secure cloud architectures in AWS, network security is one of the first layers of defense. AWS provides two powerful mechanisms to control traffic within a Virtual Private Cloud (VPC):
- Security Groups (SG)
- Network Access Control Lists (NACL)
Although both control inbound and outbound traffic, they operate at different levels and serve different security purposes.
This blog explains:
What Security Groups and NACLs are
Their benefits
When to use each
Why they are critical from a security perspective
What is a Security Group (SG)?
A Security Group acts as a virtual firewall for an AWS resource such as:
EC2 instances
Load balancers
RDS databases
EKS worker nodes
Lambda ENIs
Security Groups control:
Inbound traffic (who can access the resource)
Outbound traffic (where the resource can connect)
Key Characteristics of Security Groups
Stateful
- If inbound traffic is allowed, the response is automatically allowed.
Resource-level
- Attached directly to an instance or service.
Only Allow Rules
- You cannot explicitly deny traffic.
Evaluated at ENI level
Supports IPs and Security Group references
- You can allow traffic from another SG instead of IP ranges.
Example Security Group Rules
| Direction | Protocol | Port | Source |
| Inbound | TCP | 22 | Admin Public IP |
| Inbound | TCP | 80 | 0.0.0.0/0 |
| Outbound | All | All | 0.0.0.0/0 |
This means:
SSH only from admin IP
Web traffic allowed from anywhere
Instance can connect outbound to any destination
What is a Network ACL (NACL)?
A Network Access Control List works at the subnet level and controls traffic entering and leaving the subnet.
Key Characteristics of NACL
Stateless
- Both inbound and outbound rules must be explicitly allowed.
Subnet-level
- Applies to all resources inside the subnet.
Supports Allow and Deny rules
Rule evaluation order matters
- Lower rule number has higher priority.
Acts as a network boundary firewall
Example NACL Rules
| Rule No | Type | Port | Source | Action |
| 100 | HTTP | 80 | 0.0.0.0/0 | ALLOW |
| 110 | SSH | 22 | Office IP | ALLOW |
| 200 | All | All | 0.0.0.0/0 | DENY |
Security Group vs NACL (Quick Comparison)
| Feature | Security Group | NACL |
| Level | Resource level | Subnet level |
| State | Stateful | Stateless |
| Rules | Allow only | Allow + Deny |
| Evaluation | All rules evaluated | Ordered rules |
| Use Case | Application-level security | Network boundary protection |
| Scope | Instance specific | Entire subnet |
Benefits of Security Groups
Fine-Grained Access Control
Control exactly which ports and IPs can access your application.
Dynamic & Scalable
SGs can reference other SGs — perfect for microservices and EKS workloads.
Simple Management
No rule ordering and easy troubleshooting.
Built-in Stateful Behavior
Return traffic automatically allowed — no need to open ephemeral ports.
Benefits of NACL
Extra Layer of Defense
Protects entire subnet from unwanted traffic.
Explicit Deny Capability
Block malicious IP ranges and countries.
Compliance & Auditing
Helps meet regulatory security requirements.
Protection Against Misconfiguration
Even if SG is misconfigured, NACL can block traffic.
When Should You Use Security Groups?
Use Security Groups when:
You want to control access to individual resources
Application-level filtering is required
Microservices communicate dynamically
You use Load Balancers, EKS, ECS, RDS
You want easy management and scalability
Example Scenario
An EC2 web server:
Allow port 80 from Internet
Allow port 22 only from admin IP
Allow DB access only to RDS SG
When Should You Use NACL?
Use NACL when:
You want subnet-level protection
You need to block specific IP ranges
Compliance requires explicit network controls
You want an additional security layer
Large-scale network segmentation is required
Example Scenario
A public subnet:
Allow HTTP/HTTPS from Internet
Deny traffic from blacklisted IPs
Allow ephemeral ports for return traffic
Why Are SG and NACL Important for Security?
Defense in Depth
Multiple security layers reduce attack impact.
Reduced Attack Surface
Only required ports are open.
Isolation
Different environments can be separated securely.
Zero Trust Networking
Only trusted traffic is allowed.
Compliance
Supports ISO, SOC, PCI standards.
Best Practice Architecture
Internet
↓
[NACL - Subnet Level Filter]
↓
[Security Group - Resource Filter]
↓
EC2 / ALB / EKS / RDS
Best Practices
Always follow least privilege
Avoid opening 0.0.0.0/0 unless required
Use SG references instead of IPs
Enable VPC Flow Logs for monitoring
Document NACL rules carefully
Periodically audit unused rules
Final Thoughts
Security Groups and NACLs are complementary, not competitors.
SG = Precision control at resource level
NACL = Strong perimeter defense at subnet level
Using both together creates a robust, secure AWS network architecture.
