Mastering AWS Network Security: Route Tables, Security Groups, and NACLs

This study guide covers the foundational and professional-level concepts of AWS network security, focusing on the configuration and interaction of route tables, security groups (SGs), and network access control lists (NACLs) within a Virtual Private Cloud (VPC).

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between stateful and stateless filtering mechanisms.
• Design a VPC subnet strategy using public and private subnets based on route table configurations.
• Configure Transit Gateway (TGW) routing and understand the requirements for static vs. dynamic propagation.
• Apply the Zero-Trust model while maintaining a layered "Defense in Depth" network posture.

Key Terms & Glossary

• VPC (Virtual Private Cloud): A logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
• Subnet: A range of IP addresses in your VPC. Subnets are tied to a single Availability Zone (AZ).
• Route Table: A set of rules (routes) used to determine where network traffic from your subnet or gateway is directed.
• Security Group (SG): A virtual firewall that controls inbound and outbound traffic for one or more instances (Stateful).
• Network ACL (NACL): An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets (Stateless).
• Stateful: A firewall that remembers the state of a connection. If an inbound request is allowed, the outbound response is automatically allowed regardless of outbound rules.
• Stateless: A firewall that does not remember connection state. Inbound and outbound traffic must be explicitly allowed by separate rules.

The "Big Idea"

The "Big Idea" here is Defense in Depth. Even in a Zero-Trust architecture—where we don't trust a system just because it is on our network—we still apply multiple layers of control (Subnets -> NACLs -> SGs) to ensure that if one layer is compromised or misconfigured, others remain to protect the resource.

Formula / Concept Box

Hierarchical Outline

1. VPC Architecture Fundamentals
   • Regional Scope: VPCs span all AZs in a region.
   • Subnet Segmentation: Subnets are AZ-specific; split by connectivity needs (Public vs. Private).
2. Traffic Control Mechanisms
   • Route Tables: Primary mechanism for defining "Public" vs. "Private."
     • Public Subnet: Has a route to an Internet Gateway (IGW).
     • Private Subnet: No direct route to IGW; may use a NAT Gateway.
3. Network Security Layers
   • NACLs: Subnet-level protection. Evaluated in numeric order. First match wins.
   • Security Groups: Instance-level protection. All rules are evaluated before traffic is allowed.
4. Inter-VPC and Hybrid Connectivity
   • Transit Gateway (TGW): Acts as a regional hub.
   • Routing Propagation: Routes flow to the TGW automatically, but routes from TGW back to VPCs must often be added statically.

Visual Anchors

Traffic Flow Logic

VPC Network Layout (TikZ)

\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum width=2.5cm, minimum height=1cm, align=center}] \draw[dashed, blue, thick] (-1,-1) rectangle (8,5); \node at (3.5, 4.5) {VPC (Regional)};

\node (IGW) at (3.5, 6) {Internet Gateway};

\draw[orange, thick] (0,0) rectangle (3,3); \node at (1.5, 2.7) {Public Subnet (AZ1)}; \node (web) at (1.5, 1.5) {Web Instance$SG: Allow 80)};

\draw[green, thick] (4,0) rectangle (7,3); \node at (5.5, 2.7) {Private Subnet (AZ2)}; \node (db) at (5.5, 1.5) {DB Instance$SG: Allow 3306)};

\draw[->, thick] (IGW) -- (1.5, 3); \draw[dashed, ->] (web) -- (db) node[midway, below] {Internal Routing}; \end{tikzpicture}

Definition-Example Pairs

• Route Propagation
  • Definition: The process of automatically distributing routes from a VPN or Direct Connect to a TGW or VPC route table.
  • Example: When you connect a corporate office via BGP, the on-premises IP ranges appear in your TGW route table without manual entry.
• Appliance Mode
  • Definition: A TGW setting that ensures symmetric traffic flow (ingress and egress) through the same AZ for stateful security appliances.
  • Example: Using a 3rd party firewall (Palo Alto/Fortinet) in a central VPC to inspect traffic across different VPCs.

Worked Examples

Example 1: Making a Subnet "Public"

Scenario: You have a subnet 10.0.1.0/24 and you want instances inside to reach the internet.

1. Create IGW: Attach an Internet Gateway to your VPC.
2. Edit Route Table: In the route table associated with 10.0.1.0/24, add a route:
   • Destination: 0.0.0.0/0
   • Target: igw-xxxxxxxx.
3. Result: The subnet is now "Public."

Example 2: The TGW Return Path Requirement

Scenario: You attach a VPC to a Transit Gateway (TGW). Traffic reaches the TGW, but the VPC cannot talk to other attached networks.

• Problem: While VPC routes propagate to the TGW, the TGW does not automatically update the VPC's local route table.
• Solution: You must manually add a route in the Subnet Route Table pointing toward the TGW ID for the destination CIDR of the other network.

Checkpoint Questions

1. True or False: If a Security Group allows inbound traffic on port 80, you must also add an outbound rule for the response traffic.
2. In a NACL, if Rule 100 is "Deny All" and Rule 200 is "Allow SSH (22)", will SSH traffic be allowed?
3. Which AWS component is required to handle overlapping IP addresses when connecting multiple VPCs to a Transit Gateway?
4. What is the scope of a Subnet (Regional or Availability Zone)?

▶Click for Answers

1. False (SGs are stateful).
2. No (Rules are processed in order; Rule 100 denies the traffic before Rule 200 is reached).
3. NAT (Network Address Translation) or IPv6.
4. Availability Zone.

Muddy Points & Cross-Refs

• TGW vs VPC Peering: Use Peering for simple 1-to-1 connections; use TGW for hub-and-spoke architectures to avoid a "full mesh" of peering connections which is hard to manage.
• Ephemeral Ports: When configuring NACLs, remember that allowing inbound traffic on port 80 is not enough. You must allow outbound traffic to Ephemeral Ports (usually 1024-65535) because the response returns to a random high-numbered port on the client.

Comparison Tables