Security Layers: Security Groups and NACLs

Security inside a VPC operates at two levels:

1. Security Groups (instance-level, stateful)
2. Network ACLs (subnet-level, stateless)

Security Groups:

• Act as virtual firewalls.
• Allow rules only (no deny rules).
• Are stateful (return traffic is automatically allowed).

Network ACLs:

• Apply at subnet level.
• Allow and deny rules.
• Stateless (return traffic must be explicitly allowed).

Architectural principle:

Security Groups define trust relationships between components.

Example:

• Load Balancer SG allows HTTP from internet.
• App SG allows traffic only from Load Balancer SG.
• DB SG allows traffic only from App SG.

This is called security group referencing, and it enforces layered security.

Production insights:

• Prefer Security Groups for most control.
• Use NACLs for additional coarse-grained filtering.
• Never allow 0.0.0.0/0 to databases.

VPC Security Layers

Question 1 of 2

0/2

Are Security Groups stateful or stateless?

StatelessStateful

Back

Submit

In this section, I learned:

0 of 4 completed

Difference between Security Groups and NACLsHow layered security works in VPCHow to design secure traffic flowWhy database access must be restricted