βοΈ Day 12: EC2 Security Groups and NACLs β AWS Firewalls Made Simple
Category: Networking & Security
Goal: Understand how AWS controls access in and out of your EC2 and VPC network.
π§ What Youβll Learn Today:
- What is a Security Group in AWS?
- What is a Network ACL (NACL)?
- How they are different
- Real-world scenarios and examples
- Basic setup and testing tips
π 1. What Is a Security Group?
A Security Group is like a firewall for your EC2 instances.
It controls who can talk to your instance and on which port.
π‘οΈ Think of it like the lock on your apartment door:
- It protects your instance from unwanted visitors
- Only allows the traffic you explicitly permit
π Key Points:
- Applied at instance level (like EC2, RDS, Lambda)
- Works like a virtual firewall
- Controls inbound (coming in) and outbound (going out) traffic
- Default: Deny all, allow what you define
- Stateful: If you allow inbound traffic, outbound reply is automatic
π 2. What Is a Network ACL (NACL)?
A NACL is also a firewall, but it’s applied at the subnet level, not individual instances.
π’ Think of it like the security gate of your housing society:
- Every subnet (group of apartments) has its own gatekeeper (NACL)
- It checks all traffic entering and leaving the subnet
π Key Points:
- Applied at subnet level
- Controls inbound and outbound traffic
- Stateless: You must define both directions explicitly
- Has numbered rules with Allow/Deny
- Evaluates rules in order (lowest to highest)
βοΈ 3. Security Group vs NACL β Easy Comparison
| Feature | Security Group | NACL |
|---|---|---|
| Applies To | EC2 instance (resource) | Subnet |
| Type | Stateful | Stateless |
| Default Behavior | Deny all, allow defined | Allow all, modify rules |
| Rules | Only Allow rules | Allow + Deny rules |
| Direction | Both Inbound & Outbound | Both Inbound & Outbound |
| Use Case | App-level security | Subnet-wide control |
π§ͺ 4. Example Scenario
You have a web server on EC2 that should:
- Allow HTTP (port 80) from the internet
- Allow SSH (port 22) only from your IP
- Deny everything else
π§ How to configure:
- Security Group:
- Inbound: allow port 80 (anywhere), allow port 22 (your IP)
- Outbound: allow all (default)
- NACL (for extra control):
- Inbound rule 100: allow port 80 from 0.0.0.0/0
- Inbound rule 110: allow port 22 from your IP
- Inbound rule 120: deny everything else
- Outbound rules: allow all (for simplicity)
π οΈ 5. Hands-On Practice
β Try it on AWS:
- Launch an EC2 instance in a public subnet
- Create a Security Group with:
- Inbound: allow HTTP (80), SSH (22 from your IP)
- Associate it with the instance
- Create or modify NACL of that subnet with matching rules
- Test access via browser (HTTP) and SSH tool
π 6. Pro Tips
- Use Security Groups for instance-level control
- Use NACLs for broader subnet-level policies
- Keep SSH access limited to trusted IPs only
- Document your firewall rules clearly for team visibility
- For layered security, use both SGs and NACLs
π End of the Day Notes:
β You now understand:
- π What Security Groups and NACLs are
- πͺ How AWS controls access to your instances and subnets
- π The difference between stateful and stateless
- π οΈ How to create firewall rules and test them
- π Best practices for basic security setup in AWS
π― These are critical for protecting your cloud resources!
π Navigate the Series:
β¬
οΈDay 11: VPC (Virtual Private Cloud) Introduction β Your Private Space in AWS
β‘οΈDay 13: AWS Monitoring Basics β Keeping an Eye on Your Cloud
