AWS Classroom Series – 28/Mar/2021

Security Groups and Network ACLs

  • A Security Group acts as a virtual firewall for the ec2 instance to control inbound and outbound traffic
  • A Network access List (ACL) is an option layer of security for the vpc that acts as a firewall controlling traffic in and out of one or more subnets
  • The basic workflow of security group and NACL are as shown below Preview
  • In AWS when we create a vpc
    • a default nacl is created which has rules to allow all incoming and outgoing traffic Preview Preview Preview
  • Network ACL Rules have the following parts
    • Rule Number:
      • This defines the priority. Lower the rule number higher the priority
    • Type
      • You can specify traffic or custom ranges
    • Protocol: TCP/UDP/ICMP
    • Port range:
    • Source
    • Destination
    • Allow/Deny
  • Examples Preview Preview Preview Preview Preview
  • The NACLs which we create have to be associated with the subnets explicitly Preview
  • One default Security Group is also created when we create vpc Preview
  • IN NACL we write allow/deny rules whereas in security group we write only allow rules (if you dont write a rule it will be denied) Preview Preview Preview Preview


  • Create a vpc with 2 subnets
    • web
    • app
  • Create two ec2 instances one in web(give public ip) and other in app (no public ip)
  • create a security group for ec2 instance in web subnet which
    • allows 22 port from anywhere
    • allows 80 port from anywhere
    • ping from anywhere
  • Create a security group for ec2 instance in app subnet which
    • allows 8080 port from web subnet
  • Create a nacl which allows all the communication within vpc and allows 22 and 80 port communication from any where and assign this to both subnets Preview Preview
  • Now create an ec2 instance in the subnet 1 with websecurity group Preview Preview
  • Try the similar stuff for app server and then check connectivity

Ephemeral ports

  • In AWS when we create NACL rules its important that we enable communication b/w port 1024-65535 with in vpc for the vpc to work
    • Linux kernels with in n/w use 32768-61000
    • Load balancing 1024-65535
    • NAT Gateway uses 1024-65535
  • So ensure you have a nacl rule which allows communication on these ports in the vpc cidr range.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin