This blog focuses on the primary security mechanisms in a VPC—security groups and network ACLs—and explains how traffic actually flows between resources, subnets, and external networks.
Defense in Depth at the Network Layer
VPC security follows a layered approach. Instead of relying on a single control, AWS provides multiple mechanisms that work together to restrict and monitor traffic.
At a high level:
- Security groups protect individual resources
- Network ACLs protect entire subnets
- Route tables define allowed traffic paths
Understanding how these layers interact is essential for predictable and secure network behavior.
Security Groups: Stateful Resource-Level Firewalls
Security groups act as virtual firewalls attached to resources such as EC2 instances, load balancers, and databases.
Key characteristics:
- Stateful: return traffic is automatically allowed
- Applied at the resource level
- Only allow rules are defined
- Evaluated in aggregate (no rule order)
Security groups define which traffic is permitted to reach a resource and which outbound traffic it can initiate.
Inbound Traffic Control
Inbound rules specify:
- Protocol (TCP, UDP, ICMP)
- Port or port range
- Source (CIDR block or another security group)
Best practices include:
- Avoiding broad CIDR ranges
- Allowing traffic from security groups instead of IPs where possible
- Restricting administrative access (SSH/RDP) to trusted sources
Outbound Traffic Control
Outbound rules define where a resource is allowed to send traffic.
While outbound access is often left open, regulated environments may restrict outbound traffic to:
- Internal services
- Approved external endpoints
- Specific VPC endpoints
Outbound controls are important for data exfiltration prevention.
Network ACLs: Stateless Subnet-Level Controls
Network ACLs (NACLs) operate at the subnet boundary and apply to all resources within the subnet.
Key characteristics:
- Stateless: inbound and outbound rules must both be defined
- Rules are evaluated in order
- Explicit allow and deny rules are supported
NACLs provide coarse-grained controls and are typically used to enforce baseline network policies.
When to Use NACLs
Common use cases include:
- Blocking specific IP ranges at the subnet level
- Enforcing compliance-mandated restrictions
- Providing an additional layer of defense
For most application-level access control, security groups remain the primary tool.
Traffic Flow Within a VPC
Understanding traffic flow helps prevent accidental exposure and connectivity issues.
Instance-to-Instance Traffic
- Controlled by security groups on both instances
- Allowed by default within the same security group
- Subject to subnet routing
Subnet-to-Subnet Traffic
- Allowed by default via the local route
- Restricted by security groups and NACLs
VPC-to-Internet Traffic
- Requires an Internet Gateway
- Controlled by route tables and security groups
Each step in the path must explicitly allow the traffic.
VPC Endpoints: Private Access to AWS Services
VPC endpoints allow resources in private subnets to access AWS services without traversing the public internet.
Two types:
- Gateway endpoints (S3, DynamoDB)
- Interface endpoints (powered by PrivateLink)
Endpoints improve security by keeping traffic within the AWS network and simplifying access control.
Common Security Misconfigurations
- Allowing SSH or RDP from
0.0.0.0/0 - Overlapping CIDR ranges in connected networks
- Overusing public subnets
- Relying solely on NACLs for security
- Ignoring outbound traffic restrictions
Most VPC security incidents result from configuration errors rather than AWS infrastructure failures.
Monitoring and Visibility
Visibility into network activity is critical for security.
Key tools include:
- VPC Flow Logs for traffic analysis
- CloudWatch metrics for networking components
- AWS Config for configuration tracking
- GuardDuty for threat detection
Monitoring should be proactive and continuous.
Conclusion
VPC security is built on multiple, complementary controls. Security groups provide precise resource-level protection, while network ACLs enforce broader subnet-level policies. Understanding how traffic flows through these layers allows teams to design networks that are both secure and functional.
In Part 3, we will cover VPC connectivity options, including NAT Gateways, VPC peering, Transit Gateway, and hybrid architectures.
Top comments (0)