If you're working with AWS VPCs, EC2, and network access control, knowing Security Groups and Network ACLs (NACLs) is essential β especially in interviews. Below are 15 practical scenario-based questions with answers, perfect for engineers with 1β2 years of experience.
1. β You want to allow HTTP traffic into your EC2 instance. What Security Group rule do you add?
Answer:
Add an inbound rule allowing TCP port 80 from 0.0.0.0/0 in the Security Group attached to the instance.
2. π« Your EC2 instance canβt access the internet, but the route table and IGW look fine. What's wrong?
Answer:
Check that:
- Outbound rules in the Security Group allow traffic.
- NACL allows outbound traffic on port 80 or 443.
- Instance is in a public subnet with correct route table. **
- π How do you restrict SSH access to only your office IP?**
Answer:
Add an inbound SG rule for port 22 (TCP) with source set to your static IP, e.g., 203.0.113.10/32.
4. π Whatβs the default behavior of a Security Group?
Answer:
By default:
- No inbound traffic is allowed.
- All outbound traffic is allowed.
5. β Can you use Security Groups to deny specific IPs?
Answer:
No. Security Groups are stateful and only support allow rules. To deny specific IPs, use a NACL.
6. π You have two EC2s in different subnets. How can they securely communicate?
Answer:
Add rules in each EC2βs Security Group allowing traffic from the other's private IP or Security Group ID.
7. 𧱠You can ping your EC2 instance by IP but not by domain. Could this be a SG/NACL issue?
Answer:
Unlikely. Itβs a DNS issue. But ensure UDP port 53 is allowed if you're using custom DNS services.
8. π Whatβs the main difference between Security Groups and NACLs?
Answer:
| Feature | Security Group | NACL |
|---|---|---|
| Type | Stateful | Stateless |
| Applies to | Instance level | Subnet level |
| Deny Support | β No | β Yes |
| Default Rules | Allow all outbound | Deny all |
9. π You want to temporarily block all incoming traffic to a subnet. Fastest solution?
Answer:
Use the NACL attached to that subnet to deny all inbound traffic by removing allow rules or adding deny rules.
10. π« What happens if you create a new NACL with no rules?
Answer:
All traffic is denied (both inbound and outbound), since NACLs are stateless and default to deny all.
11. π Can EC2s with the same Security Group talk to each other?
Answer:
Yes, but only if the SG has inbound rules allowing traffic from its own group ID.
12. πΆ You canβt reach your EC2 from the internet. What rule is missing?
Answer:
Check the Security Groupβs inbound rule β port 80 or 443 (HTTP/HTTPS) may be missing or restricted.
13. π‘οΈ Why use both a Security Group and a NACL?
Answer:
- Security Groups provide instance-level filtering.
- NACLs allow subnet-level control, including IP-based blocks and explicit deny rules.
Together, they provide layered security.
14. π Why might a NACL allow inbound but still block traffic?
Answer:
NACLs are stateless, so if you allow inbound traffic, you must also allow the corresponding outbound traffic.
15. π΅οΈ How do you check which ports are exposed on an EC2?
Answer:
Review the instance's:
- Security Group inbound rules
- NACL inbound rules
- Look for 0.0.0.0/0 or wide open CIDR ranges on sensitive ports.
π¬ Final Tip:
- Use Security Groups for most control β theyβre easier and stateful.
- Use NACLs when you need subnet-level filters or explicit denies.
π Do you want to dive deeper into AWS VPC architecture or security patterns?
Let me know in the comments, and Iβll create a follow-up guide!
Top comments (0)