AWS Network Security: Ports, Protocols, and Traffic Control

This guide covers the critical mechanisms used to secure network traffic within an Amazon VPC, focusing on the differences between Security Groups, Network ACLs, and higher-level security services.

Learning Objectives

Differentiate between stateful and stateless traffic filtering.
Configure Security Groups and Network ACLs (NACLs) to enforce the principle of least privilege.
Identify use cases for AWS WAF, AWS Shield, and AWS Network Firewall.
Understand the role of ephemeral ports in stateless communication.
Analyze traffic flow patterns to troubleshoot connectivity issues.

Key Terms & Glossary

Ingress/Egress: Ingress refers to inbound traffic entering a resource; Egress refers to outbound traffic leaving a resource.
Stateful Filtering: A firewall that tracks the state of active connections. If an inbound request is allowed, the outbound response is automatically allowed.
Stateless Filtering: A firewall that does not track connection state. Rules must be explicitly defined for both inbound and outbound traffic flow.
Ephemeral Ports: Short-lived transport protocol ports (typically 49152–65535) used for the response side of a communication session.
CIDR Block: Classless Inter-Domain Routing; a method for allocating IP addresses and IP routing (e.g., 10.0.0.0/24).

The "Big Idea"

AWS employs a Defense in Depth strategy. Network security is not a single "wall" but a series of layers. Traffic first hits the Network ACL (the subnet-level perimeter), then the Security Group (the resource-level firewall). By combining these with application-layer security (WAF) and DDoS protection (Shield), you ensure that even if one layer is misconfigured, others remain to protect the workload.

Formula / Concept Box

Feature	Security Group (SG)	Network ACL (NACL)
Level	Instance / ENI	Subnet
State	Stateful	Stateless
Rules	Allow rules only	Allow and Deny rules
Processing	All rules evaluated	Rules evaluated in order (lowest number first)
Scope	Only applies if associated	Applies to all resources in the subnet

Hierarchical Outline

Resource-Level Security (Security Groups)
- Implicit Deny: No traffic is allowed unless a rule exists.
- Scope: Applied to Elastic Network Interfaces (ENIs).
- Protocols: Supports TCP, UDP, and ICMP.
Subnet-Level Security (Network ACLs)
- Default Behavior: Default NACLs allow all traffic; custom NACLs deny all traffic by default.
- Rule Numbering: Evaluated chronologically (e.g., Rule 100 before Rule 200).
- Ephemeral Port Management: Must allow outbound traffic to return to client ports.
Application & Edge Security
- AWS WAF: Protects against Layer 7 (Application) attacks like SQL Injection and XSS.
- AWS Shield: Managed DDoS protection (Standard is free; Advanced is paid).
- AWS Network Firewall: Deep packet inspection for Layer 3-7 filtering across VPCs.

Visual Anchors

Traffic Flow Architecture

Loading Diagram...

Security Group Scope vs. NACL Scope

\begin{tikzpicture}[node distance=2cm, every node/.style={font=\small}] % VPC Boundary \draw[dashed, thick] (0,0) rectangle (8,5); \node at (4, 4.7) {VPC};

code

% Subnet Boundary
\draw[blue, thick] (0.5,0.5) rectangle (7.5,4);
\node[blue] at (4, 3.7) {Subnet (NACL Boundary)};

% EC2 Instances
\draw[fill=gray!20] (1.5,1.5) rectangle (3,2.5);
\node at (2.25, 2) {EC2 A};
\draw[orange, thick] (1.3,1.3) rectangle (3.2,2.7);
\node[orange, scale=0.8] at (2.25, 1.1) {SG 1};

\draw[fill=gray!20] (5,1.5) rectangle (6.5,2.5);
\node at (5.75, 2) {EC2 B};
\draw[orange, thick] (4.8,1.3) rectangle (6.7,2.7);
\node[orange, scale=0.8] at (5.75, 1.1) {SG 2};

\end{tikzpicture}

Definition-Example Pairs

Stateful Connection:
- Definition: The firewall remembers the "state" of an opening.
- Example: You allow inbound port 80 in a Security Group. When the web server sends the HTML page back to the user, the Security Group automatically lets it out, regardless of outbound rules.
SQL Injection (SQLi):
- Definition: An attack where malicious SQL code is inserted into input fields for execution.
- Example: A user enters ' OR 1=1 -- into a login form to bypass authentication. AWS WAF can detect and block this pattern.
UDP Reflection Attack:
- Definition: A DDoS attack where the attacker spoofs the victim's IP and sends small requests to a server (like DNS), which then "reflects" a much larger response to the victim.
- Example: AWS Shield Standard automatically mitigates these L3/L4 attacks before they impact your infrastructure.

Worked Examples

Scenario: Configuring a Web Server in a Private Subnet

Problem: You have a web server that should only accept HTTP (80) traffic from an Application Load Balancer (ALB).

Step 1: Security Group Configuration

Inbound: Allow TCP Port 80, Source = sg-alb-id (the Security Group ID of the ALB).
Outbound: Allow All Traffic (0.0.0.0/0).

Step 2: Network ACL Configuration

Inbound Rule 100: Allow TCP Port 80, Source 0.0.0.0/0, Action ALLOW.
Outbound Rule 100: Allow TCP Port 49152-65535 (Ephemeral), Destination 0.0.0.0/0, Action ALLOW.

[!IMPORTANT] If you forget the Outbound Rule in the NACL, the web server's response will be blocked because NACLs are stateless and do not remember the inbound request.

Checkpoint Questions

Which security component can explicitly "Deny" a specific IP address?
- Answer: Network ACL (NACL). Security Groups only support "Allow" rules.
An instance can communicate out to the internet, but cannot receive updates. You check the Security Group and find port 80 is open inbound. Why might it still fail?
- Answer: The Network ACL might be missing an outbound rule to allow traffic back to the client's ephemeral ports.
True or False: Security Groups can filter traffic based on URL strings or malicious scripts.
- Answer: False. That is the job of AWS WAF (Layer 7 filtering).
If a NACL has Rule 100 (Allow All) and Rule 110 (Deny All), will traffic be allowed?
- Answer: Yes. NACLs evaluate rules in numerical order and stop at the first match.