Nerd For Tech
Published in

Nerd For Tech

AWS Series #2: Security Layer — Firewall

NACL & Security Group

NACL and Security Group are not standalone features — you cannot provision them seperately. These are part of the main services that you provision VPC, Subnet etc. So, it is imperative to understand the entire flow to understand NACL and Subnet.


Real World Example: Once you are inside the office, that is the VPC already. The office, all resources inside the office everything is placed in one of the floors of this building and the aim is to get access to that space based on the access path and access rights available to the user.

On AWS: By getting into the VPC does not give the automatic right to access all resources. Each user that is created by the root user via IAM, may have restriction levels set to and not to access resources. Based on what has been permission-ed for, the user is set to access the resources.

Availability Zone

Real World Example: In any office, you may see more than one meeting room. If one meeting room is not available for renovation (don’t consider this as in-use here), the other meeting room can be used.

On AWS: Availability Zones enables DR. Most of the services on AWS offers Multi-Availability Zone or Multi-AZ for its SAAS or PAAS offerings. If it does not allow implicitly, you can always manage one by yourself.


Real World Example: Router is like assigning the Lift once you tap the access card.

On AWS: The Router takes you to the NACL that is listed in the Route table.

Route Table

Real World Example: Once you get into the assigned lift, you will be dropped at the floor for which your access card is assigned to (let us assume, each access card can access only one floor). Upon reaching the floor, you still need to have permission to get into he designated office. The same access card can be provisioned to enter. The access to enter checkpoint available at the office door is like NACL (Network Access Control List).

On AWS: The access to enter checkpoint available at the entrance of the cloud is like NACL (Network Access Control List).

Route 53

Real World Example: Say you want to go to your friends house and they give you the latitude, longitude and altitude details for you to be present there. How about given an address instead? In the physical world, Address is not a post fact, it is the key information which underneath has the geospatial information.

On AWS: Route 53 is an optional service but a good practice. It enables 4 key tasks — DNS Management; Traffic Management; Availability monitoring and Domain Registration.


Real World Example: Let’s assume Level 5 is your designated floor and there is only one office on that floor. The office is secured that lets you in only upon swiping / tapping the access card that has appropriate permission to enter. Does NACL enables you to access all the rooms in the office? Not really — you are in the office premises and can see general ones. Let’s assume you are in reception and to gain further entry there is further firewalls. This NACL is associated to a subarea where the actual resources are available. But now, to gain access tot he sub-area with resources, you need access permissions.

On AWS: You have provisioned VPC, how would you protect and ringfence your cloud and make sure that only the listed people enter into your server? — answer is NACL. Network Access Control List (NACL) is the first line of defence that controls traffics for one or more subnets. This is an optional layer. It works based on Accept and Deny rules for both Inbound and Outbound. The numbered list rules orders the way the access should be evaluated. This is stateless, which means that the inbound traffic are subject to the rules of the outbound traffic. NACL protection is at the Subnet level.

NACL decides who should go into and out of the subnet and this is an optional layer of security. By default NACL allows all inbound and outbound traffic, it is your organization’s security team’s responsibility to discuss with the respective Application Development team and design for the inbound and outbound traffic to subnets. You can also create custom NACL, and associate it to the subnet. But default the custom NACL denies all traffic to the subnet.

NACL Allow and Deny traffic

Key features:

  1. Network ACL rules: enables you to add / remove rules to enable or disable access from external / internal network to your subnet.
  2. Default Network ACL: configured to allow all traffic to flow in and out of subnets with to its associated instances.
  3. Custom NACL: enables you to create custom ACL and associate to the subnets. By default custom NACL will deny all traffic.
  • Ephemeral ports — NACL is associated with ephemeral port range of 32768–65535. However, when you want to associate a different range, you may do so.
  • Path MTU discovery —P ath MTU Discovery is used to determine the path MTU between two devices.
Reference: AWS


Real World Example: If VPC is the building, Subnet is the rooms in the office space. Assume each of the rooms can be accessed via access card, that is the Security Group. Inside each of the rooms, there will be instances and NAT gateway.

On AWS: Subnet resides inside the Availability Zone. In one Availability zone there can be more than one subnet. Subnet can be both Private and Public. Public Subnets are those that can be accessed via the Internet Gateway — can be used to spin up EC2 or Web server. Private Subnet on the other hand cannot be accessed via Internet Gateway or cannot be SSH’d into. The only way the private subnet can be accessed is via the public subnet, SSH into Private subnet — Database can be part of the Private subnet disallowing external access.

Security Groups

Real World Example: You are inside your office, say you want to get into the Server room and that has access restrictions and can be accessed only by Infra — that is the Security group in the cloud world.

On AWS: You have provisioned VPC and few servers (application and database) for your architecture. How do you protect and ringfence your servers? The answer is Security Group. Once you are inside the Subnet, to access the EC2 instance, you will have to have required permissions to access the instances within the subnet. This is applicable for any type of instances, be it EC2 or Database. Security group is at the instance level and not subnet level.

It acts as a virutal firewall and ringfences your instances (both application server and database) and controls the traffic for both inbound and outbound using the Inbound and Outbound traffic configuration. Unlike NACL, security group is stateful in the sense that it will remember who is allowed to request and the same is used to responded to — you will have to provision allow but not deny traffic using the add rules and can provision up to 5 groups per instance. Now, what if you have created an instance but did not assign security group — does it mean your instance is not protected? As with the shared responsibility model of AWS, nothing goes simply unprotected, it takes the default security group of the VPC. But, it is a must that all your servers and instances have a defined and clear security group. This is because VPC may be accessed by multiple access points, however, each of the instances could be used only by specific target access points — those access points must be clearly provisioned. Instances added to security group cannot talk to each other -you will have to define rules seperately.

Key features:

  1. Rules: Specify Allow rules and not Deny rules
  2. Traffic: you can define both inbound and outbound traffic on protocol and port number range.
  3. Stateful: Remembers the request so the same is responded to.
Reference: AWS


Real World Example: Any one who wants to gain access to the Server Room in the office, has to approach Infra, if they think it is appropriate, they will grant access.

On AWS: Best way to access the instances within the subnet is via the NAT so that all the traffic is routed through the NAT Gateway and single clearance window.


Real World Example: Inside the Server room, there shall be Linux Server, Database Server, AD Server, HP Server that hosts VM etc.,

On AWS: Inside the subnet, you can spin up instances such as EC2 or Database.

Parent Article: AWS Multi-part series.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



All the views expressed here are my own views and does not represent views of my firm that I work for. Data | Big Data | Cloud | ML