NACL and Security Group

 I’ll cover:

1. What is Security Group (SG)

2. What is Network ACL (NACL)

3. Stateful vs Stateless (deep explanation)

4. Rule evaluation logic

5. Architecture placement in VPC

6. Real production scenarios

7. Interview-ready comparison table

---

🛡 1️⃣ Security Group (SG)

A Security Group is a virtual stateful firewall attached to ENIs (Elastic Network Interfaces).

That means:

• It protects EC2 instances

• It protects EKS worker nodes

• It protects ALB/NLB

• It protects RDS

• Anything with ENI

🔹 Operates at:

OSI Layer 4 (TCP/UDP)

🔹 Applied at:

Instance level

---

🔥 Technical Behavior

• Stateful

• Default deny all inbound

• Default allow all outbound

• No explicit deny rules

• Rules are evaluated as "allow-only"

---

🧠 Stateful Meaning (Important)

If inbound is allowed:

Example:
Allow inbound TCP 443 from 0.0.0.0/0

Return traffic is automatically allowed.

You DO NOT need to allow ephemeral ports.

Connection tracking is done automatically.

---

🌐 2️⃣ Network ACL (NACL)

A Network ACL is a stateless subnet-level firewall.

It controls traffic entering and leaving a subnet.

🔹 Operates at:

Layer 3 & 4 (IP + TCP/UDP)

🔹 Applied at:

Subnet level

---

🔥 Technical Behavior

• Stateless

• You MUST allow inbound AND outbound explicitly

• Supports Allow AND Deny rules

• Rules are processed in order (lowest number first)

---

🧠 Stateless Meaning

If inbound TCP 443 is allowed,
You must also allow outbound ephemeral ports (1024–65535).

Otherwise response traffic is dropped.

No connection tracking.

---

📍 Where They Sit in VPC

Traffic Flow:

Internet
↓
IGW
↓
NACL (Subnet boundary)
↓
Security Group (Instance boundary)
↓
EC2

Think:

NACL = outer perimeter firewall
SG = inner instance firewall

---

🧠 Rule Processing Difference (Critical)

Security Group

• All rules evaluated together

• If ANY rule matches → allow

• Implicit deny at end

• No rule order

• No rule numbers

---

NACL

• Rules evaluated in ascending rule number

• First match wins

• Explicit deny supported

• Rule numbers mandatory

Example:

100 allow 443
110 deny 0.0.0.0/0

If rule 100 matches → rule 110 never checked.

---

🔥 Technical Comparison Table

Feature	Security Group	NACL
Scope	ENI / Instance	Subnet
Stateful	Yes	No
Allow Rules	Yes	Yes
Deny Rules	No	Yes
Rule Order Matters	No	Yes
Default Behavior	Deny inbound	Allow all
Response Traffic	Auto allowed	Must allow manually
Layer	L4	L3 + L4
Common Usage	Application security	Network segmentation

---

🚀 Real Production Scenarios

When to Use Security Groups

✔ Control microservice access
✔ EKS node security
✔ ALB → EC2 communication
✔ Database access control

Example:
Allow only app SG to talk to DB SG.

This is called SG referencing.

---

When to Use NACL

✔ Block malicious IP ranges
✔ Block entire country CIDRs
✔ Additional defense layer
✔ Compliance requirements
✔ DDoS mitigation layer

Example:
Deny known bad IP range at subnet level.

---

🎯 Important EKS Context (MLOps Angle)

In EKS:

• Nodes have Security Groups

• Pods may inherit node SG

• LoadBalancers have SGs

• NACL rarely modified unless compliance-heavy environment

Most production teams:

Use SG heavily
Keep NACL mostly default (unless strong segmentation required)

---

🧠 Deep Technical Insight (Interview Level)

Security Groups use:

👉 Connection tracking (state table)
👉 ENI attachment-level filtering

NACL uses:

👉 Stateless packet filtering
👉 Subnet boundary filtering

Because NACL is stateless:

It cannot inspect session state.

Because SG is stateful:

It maintains connection state in kernel-level networking stack.

---

🧠 Real-World Debugging Example

Problem:
EC2 not reachable on port 443.

Checklist:

1. Check Security Group inbound

2. Check NACL inbound

3. Check NACL outbound

4. Check route table

5. Check IGW

6. Check instance OS firewall

If SG correct but still blocked → NACL probably denying.

---

🏗 Production Best Practice

✔ Use Security Groups for fine-grained control
✔ Use NACL for coarse-grained subnet control
✔ Do NOT overcomplicate NACL unless required
✔ Avoid symmetric rule mistakes in NACL

---

🔥 Simple Mental Model

Security Group = Smart firewall (remembers conversations)

NACL = Dumb firewall (forgets everything)

---

🎯 Interview 30-Second Answer

"Security Groups are stateful, instance-level firewalls that only support allow rules and automatically permit return traffic. NACLs are stateless, subnet-level firewalls that require explicit inbound and outbound rules and support both allow and deny rules, processed in order."

Now we go deep networking engineer level so you understand:

• What “stateless” really means

• What “stateful” really means

• What session state is

• Where connection tracking happens

• How packets actually flow in AWS

I’ll explain step-by-step + clear diagrams.

---

🧠 First: What Is “Session State”?

When a client connects to a server (example HTTPS):

Client → Server (TCP SYN)
Server → Client (SYN-ACK)
Client → Server (ACK)

This 3-way handshake creates a connection state.

After that, packets flow back and forth.

A firewall can either:

• 🔴 Remember this connection (stateful)

• 🔵 Forget everything (stateless)

---

🛡 PART 1 — Security Group (STATEFUL)

Security Groups are stateful.

That means:

✔ They track connection state
✔ They maintain a connection table
✔ Return traffic is automatically allowed

---

🔥 What “Maintains Connection State” Means

When you allow inbound:

Example rule:

Allow TCP 443 from 0.0.0.0/0

Now client connects:

Client IP: 1.2.3.4
Client Port: 53000 (ephemeral port)
Server Port: 443

SG sees:

Inbound TCP 443 → Allowed
Connection entry created in state table:

Source: 1.2.3.4:53000
Dest: 10.0.1.10:443
State: ESTABLISHED

Now when server replies:

Outbound packet:
10.0.1.10:443 → 1.2.3.4:53000

SG checks:

Is this part of an existing session?

Yes → Automatically allow.

You DO NOT need an outbound rule for 53000.

That’s stateful behavior.

---

📊 Security Group Packet Flow Diagram

Internet
   |
   v
[ IGW ]
   |
   v
[ NACL ]  (stateless check)
   |
   v
[ Security Group ]  (stateful check)
   |
   v
[ EC2 Instance ]

Inside SG:

Incoming Packet (443)
      |
      v
Check Rule → Allow
      |
      v
Create Connection State Table Entry
      |
      v
Return Traffic Auto Allowed

---

🌐 PART 2 — NACL (STATELESS)

NACL is stateless.

That means:

❌ It does NOT remember connections
❌ It does NOT maintain session table
❌ Every packet evaluated independently

---

🔥 What “Cannot Inspect Session State” Means

Same HTTPS example:

Client → Server TCP 443

You allow inbound 443 in NACL.

Now server replies:

Server → Client (port 53000)

If outbound rule does NOT allow 1024–65535 range:

Packet is dropped.

Why?

Because NACL does NOT know:

“This is reply traffic.”

It just sees:

Outbound packet to 53000.

If not allowed explicitly → drop.

---

📊 NACL Packet Evaluation Diagram

Inbound Packet
     |
     v
Check NACL Inbound Rules (in order)
     |
     v
Allowed → Forward to instance

Outbound Packet
     |
     v
Check NACL Outbound Rules (in order)
     |
     v
Allowed → Forward to IGW

Each direction is independent.

No memory.

---

🔬 Deep Technical Comparison

🔵 Stateless Firewall (NACL)

Works like:

IF packet matches rule → allow
ELSE → deny

No memory of previous packets.

Even part of same TCP connection is treated separately.

Think:

Security guard who forgets who entered 5 seconds ago.

---

🟢 Stateful Firewall (SG)

Works like:

If new inbound connection matches allow rule:
    Add session to connection tracking table

If packet matches existing session:
    Automatically allow

Think:

Security guard with guest list + entry log.

---

🧠 OS-Level Understanding

Security Groups rely on:

✔ Connection tracking mechanism
✔ Stateful packet inspection
✔ Managed by AWS hypervisor layer

NACL works at:

✔ Subnet boundary
✔ Packet filtering before reaching ENI
✔ No session awareness

---

🔥 Real Packet Walkthrough (Full)

Client (1.2.3.4) connects to EC2 (10.0.1.10)

Step 1: Inbound packet hits NACL
Step 2: NACL checks inbound rules
Step 3: Forwarded to SG
Step 4: SG checks inbound rule
Step 5: SG creates connection state
Step 6: EC2 responds
Step 7: SG sees it’s established → allows
Step 8: NACL checks outbound rule
Step 9: Packet leaves subnet

---

📊 Complete Traffic Flow Diagram

Client (1.2.3.4:53000)
        |
        v
---------------------------
| Internet Gateway (IGW) |
---------------------------
        |
        v
===========================
| NACL (Subnet Level)     |
| - Stateless             |
| - Rule Order Matters    |
===========================
        |
        v
---------------------------
| Security Group (ENI)    |
| - Stateful              |
| - No rule order         |
---------------------------
        |
        v
[ EC2 Instance ]

---

🚨 Common Real-World Failure

Symptom:

Website not loading.

SG correct.

Cause:

NACL outbound missing ephemeral port range:

1024-65535

Since NACL is stateless, return traffic blocked.

---

🎯 Interview-Ready Deep Explanation

“NACL is stateless, meaning it evaluates each packet independently without maintaining session state. Therefore, both inbound and outbound rules must explicitly allow traffic. Security Groups are stateful; they maintain a connection tracking table, so return traffic is automatically permitted once an inbound connection is allowed.”

---

🧠 Ultra Simple Mental Model

Security Group = Smart firewall (remembers conversation)

NACL = Dumb firewall (forgets everything)

🔐 Security Group vs 🌐 Network ACL

(AWS VPC Deep Technical Comparison)

---

🛡 1️⃣ SECURITY GROUP (SG)

🔎 Definition

A Security Group is a stateful virtual firewall attached to ENIs (Elastic Network Interfaces).

It controls traffic at the instance level.

---

⚙ Technical Characteristics

• ✔ Stateful (connection tracking enabled)

• ✔ Attached to ENI / EC2 / ALB / RDS

• ✔ Supports only ALLOW rules

• ✔ No rule order (all rules evaluated together)

• ✔ Default: Deny all inbound, Allow all outbound

---

🧠 Stateful Meaning (Important)

If inbound traffic is allowed:

Return traffic is automatically allowed.

You DO NOT need to allow ephemeral ports manually.

Security Group maintains a connection state table.

---

📊 SECURITY GROUP DIAGRAM

                Internet
                    |
                    v
              +-------------+
              |     IGW     |
              +-------------+
                    |
                    v
              +-------------+
              |    NACL     |
              +-------------+
                    |
                    v
          +---------------------+
          |  Security Group     |
          |  (Stateful)         |
          |  ENI-Level Firewall |
          +---------------------+
                    |
                    v
               +---------+
               |  EC2    |
               +---------+

---

🌐 2️⃣ NETWORK ACL (NACL)

🔎 Definition

A Network ACL is a stateless subnet-level firewall.

It controls traffic entering and leaving a subnet.

---

⚙ Technical Characteristics

• ✔ Stateless (no session tracking)

• ✔ Attached to Subnet

• ✔ Supports ALLOW and DENY rules

• ✔ Rules evaluated in order (lowest rule number first)

• ✔ Default: Allow all inbound & outbound (unless modified)

---

🧠 Stateless Meaning (Important)

Every packet is evaluated independently.

If inbound 443 is allowed:

Outbound ephemeral ports (1024–65535) must also be allowed manually.

Otherwise return traffic is dropped.

---

📊 NACL DIAGRAM

                Internet
                    |
                    v
              +-------------+
              |     IGW     |
              +-------------+
                    |
                    v
        ==================================
        |        NACL (Stateless)        |
        |  Subnet Boundary Firewall      |
        |  Rule Order Matters            |
        ==================================
                    |
                    v
          +---------------------+
          |  Security Group     |
          +---------------------+
                    |
                    v
               +---------+
               |  EC2    |
               +---------+

---

🔥 TECHNICAL DIFFERENCE TABLE

Feature	Security Group	Network ACL
Level	Instance (ENI)	Subnet
Type	Stateful	Stateless
Connection Tracking	Yes	No
Allow Rules	Yes	Yes
Deny Rules	No	Yes
Rule Order	No order	Ordered evaluation
Default Inbound	Deny	Allow
Default Outbound	Allow	Allow
Return Traffic	Auto allowed	Must allow manually
Common Use	App-level control	Network segmentation

---

🎯 Real Production Usage

Use Security Group When:

• Controlling microservices access

• ALB → EC2 communication

• EKS node security

• DB access control

Use NACL When:

• Blocking malicious CIDR ranges

• Compliance requirements

• Extra network segmentation layer

• Country-level blocking

---

🧠 Simple Mental Model

Security Group = Smart firewall (remembers sessions)

NACL = Strict gatekeeper (checks every packet separately)

We’ll simulate a real HTTPS request:

Client → EC2 (Port 443)

---

🎬 SCENE 1 — TRAFFIC ENTERS AWS

Client (1.2.3.4:53000)
        |
        |  TCP SYN → Port 443
        v
+-------------------+
| Internet Gateway  |
+-------------------+

Packet enters your VPC.

---

🎬 SCENE 2 — NACL CHECK (Stateless Layer)

=============================
|   NACL (Subnet Level)     |
|   Rule 100: Allow 443     |
=============================

🧠 NACL Logic:

• Check rule numbers in order

• If 443 allowed → Forward

• If not → Drop

NACL does NOT remember anything.

Packet passes.

---

🎬 SCENE 3 — SECURITY GROUP CHECK (Stateful Layer)

+----------------------------------+
| Security Group (Instance Level)  |
| Allow TCP 443 from 0.0.0.0/0     |
+----------------------------------+

🧠 SG Logic:

• Matches inbound rule

• Creates connection entry in state table:

Session Table Entry:
1.2.3.4:53000 → 10.0.1.10:443
State: ESTABLISHED

Packet forwarded to EC2.

---

🎬 SCENE 4 — EC2 RESPONDS

EC2 sends:

10.0.1.10:443 → 1.2.3.4:53000

Now watch the difference.

---

🎬 SCENE 5 — SECURITY GROUP RETURN CHECK

Security Group sees:

Is this part of existing session?

✔ Yes → Allow automatically.

No need to open ephemeral ports.

That’s STATEFUL behavior.

---

🎬 SCENE 6 — NACL OUTBOUND CHECK

Now packet reaches NACL outbound rules:

Rule 100: Allow 1024–65535

If ephemeral ports allowed → Packet leaves.

If NOT allowed → Packet DROPPED.

That’s STATELESS behavior.

NACL does NOT know this is reply traffic.

---

🔄 COMPLETE ANIMATED FLOW

Client
  |
  v
[ IGW ]
  |
  v
=================
| NACL Inbound  |  ← Stateless
=================
  |
  v
-----------------
| Security Group|  ← Stateful
-----------------
  |
  v
[ EC2 Instance ]
  |
  v
-----------------
| Security Group|  ← Auto allow return
-----------------
  |
  v
=================
| NACL Outbound |  ← Must allow ephemeral
=================
  |
  v
Internet

---

🎯 Visual Comparison Animation Style

🔵 If Using Only Security Group

Inbound 443 allowed
Return traffic automatically allowed
Works smoothly

---

🔴 If NACL Missing Ephemeral Rule

Inbound 443 allowed
EC2 responds
NACL blocks outbound 53000

Result:

❌ Connection fails
❌ Website not loading

This is a very common production mistake.

---

🧠 Deep Understanding Summary

Feature	Security Group	NACL
Remembers session	✔ Yes	❌ No
Needs outbound rule for reply	❌ No	✔ Yes
Connection tracking	✔ Yes	❌ No
Rule order matters	❌ No	✔ Yes