(Day 04) Task : AWS VPC Security – Security Groups vs NACLs + Hands-on Project :-

Aditya SharmaAditya Sharma
2 min read

First, What is VPC?

VPC means Virtual Private Cloud.
It is your private space in AWS, like a virtual data center.
Inside VPC, you can launch your EC2, RDS, and other services.
You can control who can access your resources using Security Groups and NACLs.

What is a Security Group?

  • Security Group is like a firewall that protects your EC2 instance.

  • At the instance level in AWS, a default VPC is automatically provided in each region. When configuring access control for an EC2 instance, security groups are used. Security groups act as virtual firewalls that control inbound and outbound traffic to the instance.

  • These work at the instance level (like EC2). Think of them as guards standing at the door of each server, checking who can go in and out.

Important Points:

  • Works on instance level (like EC2).

  • Operate at the instance level, not subnet level.

  • Inbound rules: Define what traffic is allowed into the instance.

  • Outbound rules: Define what traffic is allowed out from the instance.

  • Stateful: Return traffic is automatically allowed.

  • Allows traffic in and out of EC2.

  • Only supports Allow rules, no Deny option.

Example:

Allow SSH (Port 22) from your IP.
This means only you can connect using terminal to that EC2.

What is a NACL?

  • NACL is like a firewall for your subnet.

  • Security Groups provide instance-level access control, but Network ACLs serve as subnet-level firewalls, applying broader traffic restrictions. As a DevOps engineer, configuring NACLs helps enforce organization-wide security policies across all instances in a subnet—even when developers misconfigure instance-level security.

  • These work at the subnet level (group of instances). They are like gates for an entire neighborhood, controlling who can enter or leave the area.

Important Points:

  • Works on subnet level.

  • Stateless: You need to allow both inbound and outbound.

  • Supports both Allow and Deny.

  • Rules are checked in order (rule number).

Example:

  • Rule 100: Allow HTTP (Port 80) from anyone.

  • Rule 200: Deny everything else.

Difference between Security Group vs NACL

FeatureSecurity GroupNACL
LevelEC2 (instance)Subnet
TypeStatefulStateless
RulesAllow onlyAllow + Deny
Rule OrderNo orderChecked by rule no
Default ActionDeny allDeny all
0
Subscribe to my newsletter

Read articles from Aditya Sharma directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Aditya Sharma
Aditya Sharma

DevOps Enthusiast | Python | Chef | Docker | GitHub | Linux | Shell Scripting | CI/CD & Cloud Learner | AWS