L7. Security Groups, NACLs & Network Segmentation
Video generating
Check back soon for the video lesson on Security Groups, NACLs & Network Segmentation
Stateful vs stateless, instance-level vs subnet-level, allow-only vs allow-and-deny: the security group and NACL distinctions the exam tests hardest, plus the multi-tier subnet pattern that puts them to work.
Two Firewalls, Two Different Jobs
A VPC gives you two layers of traffic filtering, and the exam leans heavily on the ways they differ. Security groups operate at the instance/ENI level and are stateful: if you allow inbound traffic on a port, the response traffic is automatically permitted back out, with no matching outbound rule required. Security groups only support Allow rules. There is no way to write an explicit Deny; you can only choose what to allow. Network ACLs (NACLs) operate one layer higher, at the subnet boundary, and they are stateless. Because there is no connection tracking, you must explicitly allow both the inbound request and the outbound response, or return traffic silently drops. NACLs support both Allow and Deny rules, and they are evaluated in ascending rule-number order, stopping at the first rule that matches. Rule ordering is not cosmetic here: a Deny placed after a broader Allow never gets a chance to fire.
Defaults Matter
A newly created security group denies all inbound traffic and allows all outbound traffic by default. A newly created custom NACL denies everything, both directions, until you add rules. The default NACL that ships with a VPC is the exception: it allows all traffic by default, which is why security teams routinely lock it down or replace it with custom NACLs as a hardening step.
Referencing Security Groups as Sources
Instead of hardcoding a CIDR block, a security group rule can name another security group as its source or destination. This is the standard pattern for tiered applications: the database security group's inbound rule allows port 3306 only from the app-tier security group, not from a subnet range. As instances scale in and out of the app tier, the rule stays correct automatically, since it is tracking group membership rather than IP addresses.
Building Tiers With Subnets
Combine these controls into a multi-tier segmentation pattern spread across multiple Availability Zones for resilience:
| Tier | Subnet type | Internet route |
|---|---|---|
| Edge | Public | Direct route to an internet gateway (load balancers) |
| Application | Private | No direct internet route; outbound via NAT gateway if needed |
| Data | Isolated | No route to an internet gateway or NAT gateway at all |
- ✓Security groups are stateful and instance/ENI-scoped, and support Allow rules only, never explicit Deny
- ✓NACLs are stateless and subnet-scoped, support both Allow and Deny, and are evaluated in ascending rule-number order until the first match
- ✓A security group can name another security group as its source or destination, which is the standard way to allow traffic only from a specific application tier
- ✓A new custom NACL denies all traffic by default until rules are added; a new security group denies all inbound but allows all outbound by default
- ✓Only a NACL can explicitly block a specific malicious IP address; a security group can only decline to allow it, never actively deny it
1. A team needs to explicitly block a specific IP address range known to be scanning their subnet, while still allowing all other traffic on the same port. Which control should they use?
2. Why are security groups described as stateful?
3. Which architecture pattern best limits the blast radius if a public-facing web server is compromised?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.