Welcome to AWS network security! After securing identities, the next layer of defense is controlling network traffic to and from your resources. In AWS, you primarily do this within a Virtual Private Cloud (VPC).

Engagement Message

What is the main job of a firewall in a traditional network?

The first tool is the Security Group. A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. When you launch an instance, you can associate it with one or more security groups.

Think of a security group as a personal bodyguard for your virtual server.

Engagement Message

If a security group is like a personal bodyguard, what questions would this bodyguard ask before letting someone through?

Security Groups are stateful. This is a key term. It means if you allow an incoming request, the corresponding outgoing response is automatically allowed, regardless of your outbound rules. It "remembers" the connection.

Engagement Message

How does this stateful behavior make managing firewall rules simpler?

The second tool is the Network Access Control List (Network ACL). A Network ACL is a firewall that controls traffic in and out of one or more subnets within your VPC. A subnet is a segment or partition of your VPC's IP address range.

So, while security groups protect individual instances, Network ACLs protect entire subnets.

Engagement Message

Why might you want to control traffic at the subnet level rather than just at the instance level?

Network ACLs are stateless. This means they do not remember connections. If you allow incoming traffic, you must also create a corresponding outbound rule to allow the response traffic to leave.

This requires more configuration but offers more granular control, as you can create explicit "deny" rules.