Hey, again!
In my AWS learning path, I recently studied this Networking structure that shows how EC2 instances are protected using firewalls and how traffic flows in and out of a VPC through route tables, routers, and gateways. It's a layered concept but once it clicks, it's super logical.
So in this blog, I'm gonna break it down part-by-part just like how I understood it — simple and straight.
Here’s the image I followed while learning:
Let's Understand everything step-by-step :
💻 EC2 Instance (Inside the Subnet):
Before we talk about firewalls, let's first understand what we're protecting.
In AWS, your application usually runs on EC2 instances — virtual servers in the cloud. These instances live inside a subnet, which is part of your VPC.
Each EC2 can host your websites, APIs, backend systems, etc. And because they are exposed to networks (maybe even the internet), they need security — which is where firewalls come in.
So first comes your instance, then the Security Group (like armor around it), and the NACL (like the gate of the whole area).
🧱 Security Group (Inside the Subnet)
Let’s start from where the EC2 instance lives. Inside a subnet, you attach Security Groups to your instances. Think of them like the first line of defense or the bodyguard for each EC2 instance.
What is a Security Group?
- It’s basically a virtual firewall that controls inbound (incoming) and outbound (outgoing) traffic at the instance level. Unlike NACLs, Security Groups are stateful.
Stateful? What's that?
It means if your security group allows inbound traffic on port 22 (SSH), then the response (outbound) is automatically allowed back. You don’t have to write outbound rules separately for it.
How it works:
You create a security group.
You add inbound rules (e.g., allow port 80 from anywhere).
You add outbound rules (e.g., allow all traffic to anywhere).
Then attach this SG to your EC2 instance.
This controls exactly what can come in and what can go out from that specific instance.
Example: Want to host a web app? Just allow inbound on port 80 (HTTP) and 443 (HTTPS).
🧱 Network ACL (Outside the Subnet)
Okay now jump one level above. Your subnet (which contains EC2s) is also protected — but this time, by Network ACL (NACL). You can imagine this as a neighborhood security gate, while Security Group is the security at your door.
What is a NACL?
- NACL stands for Network Access Control List. It’s a set of rules that allow or deny traffic at the subnet level.
Stateless? What does that mean?
NACLs are stateless, meaning if you allow inbound traffic, you also have to allow the corresponding outbound traffic separately. Nothing automatic here.
NACL Rule Types:
Inbound Rules: Control what traffic can come into the subnet.
Outbound Rules: Control what traffic can go out of the subnet.
Rules are evaluated in order (from lowest to highest rule number).
First match wins. Rest is ignored.
Fun fact: If you don’t want a certain IP range hitting your subnet at all, block it in NACL.
So if someone somehow bypasses SG (which they shouldn’t), NACL acts like an extra shield. It's mostly used for high-level access restrictions or blacklisting specific IPs.
📦 Route Table
- Every subnet in a VPC is associated with a Route Table. This defines where traffic should go once it enters the subnet.
What’s inside the Route Table?
Destination: IP range (like 0.0.0.0/0, or a VPC CIDR)
Target: Where to send it (like IGW, NAT, local, etc.)
How it works:
When an EC2 tries to send a request to the internet, route table checks the destination IP.
If the destination matches a rule, traffic is sent to the target.
Example: 0.0.0.0/0 -> IGW means all internet-bound traffic is forwarded to Internet Gateway.
Think of route table as the GPS inside your VPC.
🔁 Router (Between Internet Gateway / Virtual Private Gateway)
- The router in the VPC isn’t a separate service — it’s automatically managed by AWS. It connects your subnets, gateways, and route tables.
What it does:
Connects different subnets within the VPC (east-west traffic)
Handles traffic from subnets to outside VPC (north-south traffic)
Works with route tables to know where to forward traffic
Think of this router like a smart traffic controller. It doesn’t ask questions. It checks route tables and forwards traffic.
🌐 Internet Gateway (IGW)
- This is what allows your instances to communicate with the public internet.
Why is it attached to the VPC?
Because it gives the entire VPC access to the internet, but only subnets that are associated with a route table pointing to IGW can use it.
What it does:
Accepts traffic from the internet
Forwards it into your VPC based on the route table
Also lets your EC2 instances send responses back to the internet
Without IGW, your EC2 can’t even do a simple apt update if it’s in a public subnet.
🔒 Virtual Private Gateway (VGW)
- This is used when your AWS VPC needs to connect with your on-premise network — like from your office data center.
How it works:
You set up a VPN connection from your on-prem setup to VGW
VGW connects to your VPC router
Route table entry like Destination: 10.0.0.0/16 -> Target: VGW
This is more like a private door that connects your VPC to a known internal network. Not public internet.
Helpful when companies have hybrid cloud setups.
🧠 Final Thoughts
At first, it all feels like too much — security group here, NACL there, route tables, gateways, blah blah. But when you draw it and walk through the flow, it all makes sense.
Want to protect individual instances? Use Security Groups.
Want to control subnet-level traffic? Use NACLs.
Want to route traffic in/out? Route Table + Router.
Internet access? Use IGW.
Private corporate access? Use VGW.
All these together make VPC powerful and flexible.
Hope this helped someone who’s just starting to make sense of all this.
LinkedIn: https://www.linkedin.com/in/ankit-raj-b20a0a305/
GitHub: https://github.com/rajankit2295
Top comments (1)
Helpful 🙂