☁️ Day 12: EC2 Security Groups and NACLs – AWS Firewalls Made Simple
Category: Networking & Security
Goal: Understand how AWS controls access in and out of your EC2 and VPC network.
🧠 What You’ll Learn Today:
- What is a Security Group in AWS?
- What is a Network ACL (NACL)?
- How they are different
- Real-world scenarios and examples
- Basic setup and testing tips
🔐 1. What Is a Security Group?
A Security Group is like a firewall for your EC2 instances.
It controls who can talk to your instance and on which port.
🛡️ Think of it like the lock on your apartment door:
- It protects your instance from unwanted visitors
- Only allows the traffic you explicitly permit
📘 Key Points:
- Applied at instance level (like EC2, RDS, Lambda)
- Works like a virtual firewall
- Controls inbound (coming in) and outbound (going out) traffic
- Default: Deny all, allow what you define
- Stateful: If you allow inbound traffic, outbound reply is automatic
🌐 2. What Is a Network ACL (NACL)?
A NACL is also a firewall, but it’s applied at the subnet level, not individual instances.
🏢 Think of it like the security gate of your housing society:
- Every subnet (group of apartments) has its own gatekeeper (NACL)
- It checks all traffic entering and leaving the subnet
📘 Key Points:
- Applied at subnet level
- Controls inbound and outbound traffic
- Stateless: You must define both directions explicitly
- Has numbered rules with Allow/Deny
- Evaluates rules in order (lowest to highest)
⚖️ 3. Security Group vs NACL – Easy Comparison
| Feature | Security Group | NACL |
|---|---|---|
| Applies To | EC2 instance (resource) | Subnet |
| Type | Stateful | Stateless |
| Default Behavior | Deny all, allow defined | Allow all, modify rules |
| Rules | Only Allow rules | Allow + Deny rules |
| Direction | Both Inbound & Outbound | Both Inbound & Outbound |
| Use Case | App-level security | Subnet-wide control |
🧪 4. Example Scenario
You have a web server on EC2 that should:
- Allow HTTP (port 80) from the internet
- Allow SSH (port 22) only from your IP
- Deny everything else
🔧 How to configure:
- Security Group:
- Inbound: allow port 80 (anywhere), allow port 22 (your IP)
- Outbound: allow all (default)
- NACL (for extra control):
- Inbound rule 100: allow port 80 from 0.0.0.0/0
- Inbound rule 110: allow port 22 from your IP
- Inbound rule 120: deny everything else
- Outbound rules: allow all (for simplicity)
🛠️ 5. Hands-On Practice
✅ Try it on AWS:
- Launch an EC2 instance in a public subnet
- Create a Security Group with:
- Inbound: allow HTTP (80), SSH (22 from your IP)
- Associate it with the instance
- Create or modify NACL of that subnet with matching rules
- Test access via browser (HTTP) and SSH tool
🔐 6. Pro Tips
- Use Security Groups for instance-level control
- Use NACLs for broader subnet-level policies
- Keep SSH access limited to trusted IPs only
- Document your firewall rules clearly for team visibility
- For layered security, use both SGs and NACLs
📝 End of the Day Notes:
✅ You now understand:
- 🔐 What Security Groups and NACLs are
- 🚪 How AWS controls access to your instances and subnets
- 🔁 The difference between stateful and stateless
- 🛠️ How to create firewall rules and test them
- 🔐 Best practices for basic security setup in AWS
🎯 These are critical for protecting your cloud resources!
🔁 Navigate the Series:
⬅️Day 11: VPC (Virtual Private Cloud) Introduction – Your Private Space in AWS
➡️Day 13: AWS Monitoring Basics – Keeping an Eye on Your Cloud