πŸ‘ˆ

πŸ” NACL vs Security Group (SG) – FULL PACKET FLOW EXPLAINED

1️⃣ First, the Core Difference (Must Remember)

NACL works at the subnet level and is stateless, while Security Group works at the instance level and is stateful.

Everything else comes from this.

2️⃣ Where NACL and SG Sit in AWS Networking

Let’s first fix the order of traffic flow, because this is where most confusion happens.

πŸ” Actual AWS Traffic Flow Order

Internet
 ↓
Internet Gateway (IGW)
 ↓
Route Table (decides path)
 ↓
NACL (Subnet-level firewall)
 ↓
Security Group (Instance-level firewall)
 ↓
EC2 Instance

πŸ“Œ Both NACL and SG must allow traffic If either blocks, traffic is blocked.

3️⃣ NACL vs SG – High-Level Comparison

FeatureNACLSecurity Group
LevelSubnetInstance
Stateful❌ Noβœ… Yes
Allow rulesβœ… Yesβœ… Yes
Deny rulesβœ… Yes❌ No
Rule orderNumbered (evaluated in order)No order
Default inboundAllow all (default NACL)Deny all
Return trafficMust be explicitly allowedAutomatically allowed

4️⃣ What β€œStateful” vs β€œStateless” REALLY Means

πŸ”Ή Stateless (NACL)

NACL does NOT remember traffic.

If a request is allowed in, the response is NOT automatically allowed.

You must allow:

  • Request
  • Response Both directions

πŸ”Ή Stateful (Security Group)

Security Group remembers traffic.

If a request is allowed:

  • Response is automatically allowed
  • No extra rule needed

5️⃣ FULL PACKET FLOW – Public Web Server Example

Let’s take a real scenario.

🧩 Setup

  • VPC: 10.0.0.0/16
  • Public Subnet: 10.0.1.0/24
  • EC2 private IP: 10.0.1.10
  • EC2 public IP: 54.12.34.56
  • Website running on port 80

6️⃣ PACKET FLOW: Client β†’ EC2 (Inbound Traffic)

🌍 Step 1: Client Sends Request

Client IP: 203.0.113.5
Client Port: 53000 (ephemeral)
Destination IP: 54.12.34.56
Destination Port: 80
Protocol: TCP

🌐 Step 2: Internet Gateway (IGW)

  • IGW maps:
54.12.34.56 β†’ 10.0.1.10

IGW does NOT filter traffic.

πŸ›£ Step 3: Route Table

  • Route table confirms destination subnet
  • Traffic forwarded internally

πŸ” Step 4: NACL (Inbound Rule Check)

NACL checks inbound rules:

Required NACL inbound rule:

Allow TCP 80 from 0.0.0.0/0

βœ” If allowed β†’ packet continues ❌ If denied β†’ packet dropped here

πŸ” Step 5: Security Group (Inbound Rule Check)

Security Group checks inbound rules:

Required SG inbound rule:

Allow TCP 80 from 0.0.0.0/0

βœ” Allowed β†’ packet reaches EC2 ❌ Denied β†’ packet dropped

πŸ–₯ Step 6: EC2 Receives Request

EC2 processes HTTP request.

7️⃣ PACKET FLOW: EC2 β†’ Client (Outbound Response)

Now comes the MOST IMPORTANT PART.

πŸ–₯ Step 7: EC2 Sends Response

Source IP: 10.0.1.10
Source Port: 80
Destination IP: 203.0.113.5
Destination Port: 53000

πŸ” Step 8: Security Group (Outbound Check)

Here is where stateful behavior matters.

πŸ‘‰ Because inbound traffic was allowed:

  • Response traffic is automatically allowed
  • No outbound rule needed

βœ” SG allows response automatically

πŸ” Step 9: NACL (Outbound Rule Check)

Since NACL is stateless, it checks outbound rules.

You MUST have:

Allow TCP 1024–65535 to 0.0.0.0/0

Why?

  • Client port = 53000 (ephemeral)

❌ If missing β†’ response blocked βœ” If present β†’ response allowed

🌐 Step 10: IGW Sends Response to Internet

IGW maps private IP back to public IP.

Client receives website response.

8️⃣ REQUIRED RULES SUMMARY (VERY IMPORTANT)

βœ… Security Group Rules

Inbound:

TCP 80 from 0.0.0.0/0

Outbound:

Allow all (default)

βœ… NACL Rules

Inbound:

Allow TCP 80 from 0.0.0.0/0
Allow TCP 1024–65535 from 0.0.0.0/0

Outbound:

Allow TCP 80 to 0.0.0.0/0
Allow TCP 1024–65535 to 0.0.0.0/0

πŸ“Œ Ephemeral ports are mandatory in NACLs

9️⃣ What Happens If One Rule Is Missing?

❌ Missing NACL outbound ephemeral ports

  • Request reaches EC2
  • Response blocked
  • Browser hangs

❌ Missing SG inbound rule

  • Packet blocked at instance
  • No response

❌ Missing NACL inbound rule

  • Packet blocked before reaching EC2

πŸ”Ÿ FULL PACKET FLOW – Private EC2 with NAT Gateway

Let’s quickly understand private subnet flow.

🧩 Setup

  • Private subnet
  • EC2 has no public IP
  • NAT Gateway in public subnet

Flow

EC2 β†’ SG β†’ NACL β†’ Route Table β†’ NAT Gateway β†’ IGW β†’ Internet

Return traffic:

Internet β†’ IGW β†’ NAT β†’ Route Table β†’ NACL β†’ SG β†’ EC2

πŸ“Œ NACL must allow:

  • Outbound ephemeral ports
  • Inbound ephemeral ports

πŸ“Œ SG auto-allows response traffic

1️⃣1️⃣ NACL vs SG – Decision Rule (EXAM GOLD)

RequirementUse
Instance-level accessSecurity Group
Subnet-wide blockingNACL
Explicit denyNACL
Stateful controlSecurity Group
Simple managementSecurity Group

1️⃣2️⃣ Common AWS Exam Traps

❓ SG allows traffic but app not reachable ➑ NACL blocking

❓ Return traffic blocked ➑ Missing ephemeral ports in NACL

❓ Want to block a single IP ➑ NACL (SG cannot deny)

❓ Multiple SGs attached ➑ Rules are combined (OR logic)

1️⃣3️⃣ Mental Model (REMEMBER THIS)

NACL = Border control (stateless)
SG   = Door lock (stateful)

1️⃣4️⃣ One-Line Exam Definitions

NACL

A stateless subnet-level firewall that controls inbound and outbound traffic using allow and deny rules.

Security Group

A stateful instance-level firewall that allows traffic and automatically permits response traffic.

1️⃣5️⃣ Final Summary (Must Remember)

  • NACL is checked before SG
  • NACL is stateless β†’ allow both directions
  • SG is stateful β†’ return traffic automatic
  • Both must allow traffic
  • Ephemeral ports are key for NACLs