If you're working with AWS VPCs, EC2, and network access control, knowing Security Groups and Network ACLs (NACLs) is essential β especially in interviews. Below are 15 practical scenario-based questions with answers, perfect for engineers with 1β2 years of experience.
1. β You want to allow HTTP traffic into your EC2 instance. What Security Group rule do you add?
Answer:
Add an inbound rule allowing TCP port 80 from 0.0.0.0/0 in the Security Group attached to the instance.
2. π« Your EC2 instance canβt access the internet, but the route table and IGW look fine. What's wrong?
Answer:
Check that:
- Outbound rules in the Security Group allow traffic.
- NACL allows outbound traffic on port 80 or 443.
- Instance is in a public subnet with correct route table. **
- π How do you restrict SSH access to only your office IP?**
Answer:
Add an inbound SG rule for port 22 (TCP) with source set to your static IP, e.g., 203.0.113.10/32.
4. π Whatβs the default behavior of a Security Group?
Answer:
By default:
- No inbound traffic is allowed.
- All outbound traffic is allowed.
5. β Can you use Security Groups to deny specific IPs?
Answer:
No. Security Groups are stateful and only support allow rules. To deny specific IPs, use a NACL.
6. π You have two EC2s in different subnets. How can they securely communicate?
Answer:
Add rules in each EC2βs Security Group allowing traffic from the other's private IP or Security Group ID.
7. π§± You can ping your EC2 instance by IP but not by domain. Could this be a SG/NACL issue?
Answer:
Unlikely. Itβs a DNS issue. But ensure UDP port 53 is allowed if you're using custom DNS services.
8. π Whatβs the main difference between Security Groups and NACLs?
Answer:
Feature | Security Group | NACL |
---|---|---|
Type | Stateful | Stateless |
Applies to | Instance level | Subnet level |
Deny Support | β No | β Yes |
Default Rules | Allow all outbound | Deny all |
9. π You want to temporarily block all incoming traffic to a subnet. Fastest solution?
Answer:
Use the NACL attached to that subnet to deny all inbound traffic by removing allow rules or adding deny rules.
10. π« What happens if you create a new NACL with no rules?
Answer:
All traffic is denied (both inbound and outbound), since NACLs are stateless and default to deny all.
11. π Can EC2s with the same Security Group talk to each other?
Answer:
Yes, but only if the SG has inbound rules allowing traffic from its own group ID.
12. πΆ You canβt reach your EC2 from the internet. What rule is missing?
Answer:
Check the Security Groupβs inbound rule β port 80 or 443 (HTTP/HTTPS) may be missing or restricted.
13. π‘οΈ Why use both a Security Group and a NACL?
Answer:
- Security Groups provide instance-level filtering.
- NACLs allow subnet-level control, including IP-based blocks and explicit deny rules.
Together, they provide layered security.
14. π Why might a NACL allow inbound but still block traffic?
Answer:
NACLs are stateless, so if you allow inbound traffic, you must also allow the corresponding outbound traffic.
15. π΅οΈ How do you check which ports are exposed on an EC2?
Answer:
Review the instance's:
- Security Group inbound rules
- NACL inbound rules
- Look for 0.0.0.0/0 or wide open CIDR ranges on sensitive ports.
π¬ Final Tip:
- Use Security Groups for most control β theyβre easier and stateful.
- Use NACLs when you need subnet-level filters or explicit denies.
π Do you want to dive deeper into AWS VPC architecture or security patterns?
Let me know in the comments, and Iβll create a follow-up guide!
Top comments (0)