ContentsAuthorVisit Press
Lesson 22

VPC Security

Security Groups and Network ACLs

1. Two Layers of VPC Firewall

Amazon VPC provides two firewall options to control traffic: security groups and network access control lists (network ACLs). They operate at different levels and have different behaviors.

2. Security Groups

A security group acts as a virtual firewall at the instance level. Each instance in a subnet can be assigned to a different set of security groups. Security groups control both inbound and outbound traffic.

Default Behavior

  • Default security group denies all inbound traffic.
  • Default security group allows all outbound traffic.
  • You can specify allow rules only — no deny rules.
  • All rules are evaluated before the decision to allow traffic.

Stateful

Security groups are stateful. If you send a request from your instance, the response traffic is automatically allowed back in regardless of inbound rules. Responses to allowed inbound traffic are automatically allowed out.

Memory trick: Security = Stateful, Instance-level, Allow only. Think: "SIA" — Stateful, Instance, Allow.

Example Rules

DirectionProtocolPortSource/DestinationPurpose
InboundTCP800.0.0.0/0Allow HTTP from anywhere
InboundTCP4430.0.0.0/0Allow HTTPS from anywhere
InboundTCP22192.0.2.0/24Allow SSH from corporate network
OutboundTCP1433sg-databaseAllow SQL Server to database security group

Rules can reference other security groups as sources or destinations — a powerful feature for layered security.

3. Network ACLs

A network ACL is an optional firewall that operates at the subnet level. It controls traffic entering and leaving one or more subnets.

Default Behavior

  • Default network ACL allows all inbound and outbound IPv4 traffic.
  • Custom network ACLs deny all traffic until you add rules.
  • You can specify both allow and deny rules.
  • Rules are evaluated in number order (lowest number first).

Stateless

Network ACLs are stateless. Return traffic must be explicitly allowed by outbound rules. If you allow inbound traffic on port 80, you must also add an outbound rule for the response.

Memory trick: NACL = Not-stateful, Allow+Deny, subnet-Level. Think: "NADAL" — Not-stateful, Allow+Deny, subnet-Level.

4. Side-by-Side Comparison

AttributeSecurity GroupNetwork ACL
ScopeInstance levelSubnet level
Supported rulesAllow rules onlyAllow and deny rules
StateStateful (return traffic auto-allowed)Stateless (return traffic needs explicit rule)
Rule evaluationAll rules evaluated togetherRules evaluated in number order (lowest first)
Default behaviorDeny inbound, allow all outboundDefault NACL: allow all. Custom NACL: deny all.
AssociationMultiple per instanceOne per subnet; one NACL can serve many subnets
Exam favorite: The stateful vs. stateless distinction is one of the most tested concepts. If a question says "you opened inbound port 80 but the response is blocked," think stateless (NACL). If return traffic is allowed automatically, think stateful (security group).

5. Quick Quiz

Test Your Understanding

Select one answer per question. You will receive immediate feedback.

1. Which VPC firewall operates at the instance level and is stateful?
2. An administrator allows inbound HTTP traffic on port 80 in a custom network ACL but forgets to add a corresponding outbound rule for the response. What happens?
3. Which statement about security groups is correct?
4. A company wants to explicitly block traffic from a specific IP address at the subnet level. Which VPC feature supports deny rules?
5. In a custom network ACL, a rule numbered 100 allows HTTPS and a rule numbered 200 denies all traffic. What happens to HTTPS traffic?
6. What is the default inbound behavior of a newly created security group?
7. Which resource can be associated with multiple subnets, but each subnet can be associated with only one of this resource?
8. An EC2 instance has a security group allowing outbound traffic. A client sends a request to the instance on port 443. What determines if the response reaches the client?
Progress: 0/8 correct (0%). Answer all questions to see the final recommendation.
Primary Source: AWS Academy Module 5: Networking and Content Delivery (module-5.txt), Section 4: VPC Security.
Ask your teacher: If you confuse stateful vs. stateless or security group vs. NACL scope, review the comparison table. The exam almost always includes at least one question distinguishing these two firewalls.
Last updated: June, 2026© 2026 Shahriar Ahmed ShovonCredits