Day-23: Security Groups & NACLs (Network Access Control Lists)
🔐 1️⃣ What They Are
Both Security Groups (SG) and Network ACLs (NACL) act as firewalls in AWS, but they work at different layers.
| Type |
Layer |
Protects |
| Security Group |
Instance Level |
EC2 instances |
| Network ACL (NACL) |
Subnet Level |
Entire subnets |
🧱 2️⃣ Security Groups (SG)
- Security Groups control traffic at the instance level (attached to EC2).
- Stateful: If incoming traffic is allowed, the response is automatically allowed.
- You can attach multiple SGs to one instance.
- Default Behavior: All inbound traffic denied, all outbound traffic allowed.
🔹 Example:
Inbound Rules:
Type: SSH | Port: 22 | Source: My IP
Type: HTTP | Port: 80 | Source: 0.0.0.0/0
🧠 Tip: SGs only support Allow rules, no Deny rules.
🌐 3️⃣ Network ACL (NACL)
- NACLs control traffic at the subnet level — applies to all instances in that subnet.
- Stateless: You must explicitly allow both inbound and outbound traffic.
- Each subnet can be associated with one NACL.
- Rules are evaluated in order by their rule number (lowest first).