Day 3 of My AWS Journey — Demystifying Network Security in AWS (NACL, Security Groups, Endpoints & Flow Logs)

Rajesh BarikRajesh Barik
5 min read

Table of contents

👋 Hey everyone!

Today marks Day 3 of my AWS Zero to Hero learning journey.

After understanding EC2 and VPC, I realized something crucial — just launching servers isn't enough.
If you don’t control access, you’re basically leaving your digital doors wide open.

So today, I dove deep into how AWS secures traffic, manages access, and monitors what's happening in your virtual network — all using four powerful tools:

  • 🔐 Security Groups

  • 🚧 Network ACLs (NACLs)

  • 🔌 VPC Endpoints

  • 👁️ VPC Flow Logs

Let’s unpack each of these — with relatable examples and step-by-step use cases.

🔐 SECURITY GROUPS — The Bodyguards of EC2

Think of Security Groups as the personal bodyguards standing right at your EC2 instance's door.
They only let in what you allow. No exceptions.

🧠 Real-Life Analogy:

Imagine your EC2 instance is a building.
The security group is like a receptionist who checks ID and decides:

  • Who can enter (inbound rules)

  • Who can exit (outbound rules)

The cool part? Security groups are stateful.

✅ If you allow incoming traffic on a certain port (e.g., SSH on port 22), AWS automatically allows the outgoing reply — you don’t have to set both.

🧪 Example:

Let’s say you want to allow SSH access only from your office IP.

Security Group Rule:

  • Type: SSH

  • Protocol: TCP

  • Port Range: 22

  • Source: 203.0.113.15/32 (your office IP)

This means only you (from that IP) can connect via SSH. No one else.

Use Case: Web server EC2 where you want to allow traffic on port 80 (HTTP) and 22 (SSH) only.

🚧 NACL (Network Access Control List) — The Subnet Bouncer

Now let’s zoom out.

Your EC2 instance lives inside a subnet, which is part of your VPC.
And guess who controls traffic at the subnet level?

👉 NACLs — Network ACLs.

They are like guards at the gate of a housing society. They check any traffic going in and out of the entire neighborhood (subnet).

Unlike Security Groups, NACLs are stateless.

❌ If you allow inbound traffic, you also need to explicitly allow the outbound response.

Also, NACL rules are numbered (rule #100, #200, etc.), and AWS evaluates them in order — first match wins.

🧠 Real-Life Analogy:

Let’s say you manage a gated community (your subnet), and you’ve blacklisted a delivery company because they’re a nuisance.

So you block them completely, regardless of which building (EC2) they try to go to.

🧪 Example:

You want to block all access from an IP: 198.51.100.25.

Inbound Rule:

  • Rule #: 100

  • Type: ALL

  • Source: 198.51.100.25/32

  • Action: DENY

Outbound Rule:

  • Rule #: 100

  • Type: ALL

  • Destination: 198.51.100.25/32

  • Action: DENY

Use Case: Quickly blocking malicious IPs at the subnet level.

📊 Quick Recap: SG vs NACL

FeatureSecurity GroupNACL
ScopeInstance-levelSubnet-level
TypeStatefulStateless
Rule TypeAllow onlyAllow + Deny
Rule EvaluationAll rules appliedEvaluated in order

🔌 VPC ENDPOINTS — Secure Access to AWS Services

Here’s a problem: You have a private subnet (for security), but you need to connect to S3 or DynamoDB.

You don’t want to expose your VPC to the internet, but you still need access.

Enter: VPC Endpoints. 🎯

They act like a private tunnel inside your VPC, allowing access to AWS services without using the public internet.

There are two types:

  1. Gateway Endpoints – for S3 and DynamoDB

  2. Interface Endpoints – for services like SNS, SSM, Secrets Manager, etc.

🧠 Real-Life Analogy:

Imagine needing groceries (S3 access) while living in a gated community.
Instead of going outside, you use a secure in-society store (endpoint).

You never step outside — it’s faster, safer, and no traffic charges.

🧪 Example:

Your app needs to read and write to S3 — but it’s inside a private subnet.

  • You set up a VPC Gateway Endpoint to S3

  • Your app accesses S3 directly over AWS’s private network

Use Case: Saving NAT Gateway costs & increasing security in private subnets.

📹 VPC FLOW LOGS — Network CCTV Cameras

You’ve deployed everything and locked it down.
But now you want to watch and understand what’s happening — for monitoring, debugging, and audits.

VPC Flow Logs let you do exactly that.

They record every network traffic event — source IP, destination, port, protocol, bytes transferred, and whether it was accepted or rejected.

You can log at:

  • VPC level

  • Subnet level

  • Network Interface level

Logs can be sent to CloudWatch Logs or S3 for analysis.

🧠 Real-Life Analogy:

Think of Flow Logs as CCTV cameras inside your VPC.
They don’t stop crime — but they show who came in, who left, what time, and what route they took.

🧪 Example:

You keep failing to connect to your EC2 from your office IP.
You enable flow logs and see:

logCopy codesrcaddr=203.0.113.15 dstport=22 action=REJECT

Oops! Your Security Group isn’t allowing port 22 from your IP. Fix → Try again → It works.

Use Case: Debugging access issues, catching unusual patterns, auditing

🔚 Wrapping It All Up

Here's a mental model I use:

🧍 EC2 is the person
🛡️ Security Group is their bodyguard
🚧 NACL is the gated society entrance
🔌 VPC Endpoint is a secure tunnel to a nearby service
📹 Flow Logs are the CCTV watching every move

These tools together give you fine-grained control and deep visibility into your AWS network.

📺 Video That Helped Me:

This simple yet powerful video explained IAM beautifully:

NACl and SG Explained for Beginners

AWS VPC Endpoint Explained for Beginners

AWS VPC Flow logs Explained for Beginners

Thanks for reading! If you’re learning AWS too — let’s connect!
And if you have questions, feel free to drop them below or on LinkedIn!

0
Subscribe to my newsletter

Read articles from Rajesh Barik directly inside your inbox. Subscribe to the newsletter, and don't miss out.

CloudSecurityCloud ComputingAWSawssimplifiedvpcVPC Endpoints

Written by

Rajesh Barik
Rajesh Barik