Mastering AWS Network Security: Route Tables, Security Groups, and NACLs
Route tables, security groups, and network ACLs
Mastering AWS Network Security: Route Tables, Security Groups, and NACLs
This guide explores the foundational components of AWS network security, focusing on the layered defense strategy required for robust, scalable architectures. Even in a "Zero Trust" environment, network-level controls remain the first line of defense.
Learning Objectives
By the end of this guide, you should be able to:
- Differentiate between stateful and stateless firewalls in AWS.
- Design a layered network architecture using Public and Private subnets.
- Configure Route Tables for both local VPC traffic and Transit Gateway (TGW) integration.
- Apply security best practices for resource isolation and least privilege access.
Key Terms & Glossary
- Stateful Firewall: A firewall (like Security Groups) that remembers the state of active connections. If an inbound request is allowed, the outbound response is automatically allowed.
- Stateless Firewall: A firewall (like NACLs) that treats every packet individually. Rules must be explicitly defined for both inbound and outbound traffic.
- CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and IP routing (e.g.,
10.0.0.0/16). - Transit Gateway (TGW): A network hub used to interconnect VPCs and on-premises networks.
- Propagation: The process by which the Transit Gateway automatically learns routes from attached VPCs or VPNs.
The "Big Idea"
[!IMPORTANT] Defense-in-Depth: AWS networking is not about choosing one security tool, but layering them. Traffic must pass through the Network ACL (Subnet level), then the Security Group (Instance/ENI level). A failure or misconfiguration in one layer can be caught by the other.
Formula / Concept Box
| Feature | Security Group (SG) | Network ACL (NACL) |
|---|---|---|
| Level | Instance/ENI | Subnet |
| State | Stateful | Stateless |
| Rules | Allow only (Default Deny) | Allow and Deny |
| Evaluation | All rules evaluated | Rules evaluated in order (lowest number first) |
| Applied to | EC2, RDS, Lambda, etc. | All resources in the subnet |
Hierarchical Outline
- VPC Structure
- Regional Construct: VPCs span multiple Availability Zones (AZs).
- Subnets: Tied to a single AZ.
- Public Subnets: Route to an Internet Gateway (IGW).
- Private Subnets: No direct route to/from the internet.
- Traffic Control Mechanisms
- Route Tables: Determine where network traffic is directed.
- Network ACLs: The first layer of defense at the subnet boundary.
- Security Groups: The final layer of defense at the resource level.
- Inter-Network Connectivity
- Transit Gateway (TGW): Central hub for complex organizations.
- Static vs. Dynamic Routing: TGW supports BGP for dynamic on-premises routing.
Visual Anchors
Packet Flow Logic
Subnet Architecture
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, minimum width=2.5cm, minimum height=1cm, align=center}]
% VPC Boundary \draw[dashed, thick] (-1,-1) rectangle (8,5); \node[draw=none] at (3.5, 4.7) {VPC (Region)};
% Subnets \node (public) at (1.5, 3) {Public Subnet$AZ-A)}; \node (private) at (5.5, 3) {Private Subnet$AZ-A)};
% Components \node[fill=gray!20] (web) at (1.5, 1) {Web Server$SG: Port 80/443)}; \node[fill=gray!20] (db) at (5.5, 1) {Database$SG: Port 3306)};
% Connections \draw[->, thick] (public) -- (web); \draw[->, thick] (private) -- (db); \draw[<->, dashed] (web) -- (db) node[midway, above] {Internal Only};
% IGW \node (igw) at (1.5, 5.5) {Internet Gateway}; \draw[<->] (public) -- (igw);
\end{tikzpicture}
Definition-Example Pairs
- Route Table Association
- Definition: Linking a specific subnet to a set of routing rules.
- Example: Associating a "Private Route Table" (which lacks a
0.0.0.0/0route to an IGW) to a database subnet to prevent internet exposure.
- Appliance Mode
- Definition: A TGW setting that ensures traffic is routed through the same AZ for stateful processing.
- Example: Using a cluster of third-party firewalls in a shared services VPC to inspect traffic; Appliance Mode prevents asymmetric routing that would drop stateful packets.
Worked Examples
Scenario: Allowing Web Access to a Private Instance
Goal: An EC2 instance in a private subnet needs to download updates from the internet without being reachable from the internet.
- Route Table: Add a route to the private subnet's table:
0.0.0.0/0targeting a NAT Gateway located in a public subnet. - Security Group (Outbound): Add an egress rule for HTTP (80) and HTTPS (443) to
0.0.0.0/0. - Network ACL (Inbound): Ensure ephemeral ports (1024-65535) are allowed inbound to receive the response packets (since NACLs are stateless).
- Network ACL (Outbound): Allow ports 80 and 443 outbound to
0.0.0.0/0.
Checkpoint Questions
- If a Security Group allows inbound traffic on port 80, do you need to add an outbound rule for the response? (Answer: No, SGs are stateful).
- At which level (Subnet or Instance) does a Network ACL operate? (Answer: Subnet).
- True or False: Routes from a VPC are automatically propagated back to the VPC route table from a Transit Gateway. (Answer: False; VPC route tables must be updated manually with static routes to the TGW).
Muddy Points & Cross-Refs
- Overlapping CIDRs: Transit Gateway cannot handle VPC attachments with overlapping IP ranges. You must use NAT or IPv6 to resolve this.
- TGW Subnet Best Practice: It is recommended to use a dedicated, small subnet (e.g.,
/28) in each AZ for TGW attachments. This allows for cleaner NACL management and prevents IP exhaustion in your resource subnets.
Comparison Tables
Connectivity Options
| Method | Best Use Case | Performance | Complexity |
|---|---|---|---|
| VPC Peering | 1-to-1 connection between few VPCs | Highest (no bottleneck) | High (mesh gets complex) |
| Transit Gateway | Hub-and-spoke for many VPCs/Regions | High (centralized) | Moderate (easier management) |
| PrivateLink | Sharing a specific service privately | High (TCP only) | Low for consumers |