SkarpSkarp

Chapter 5 of 26

Amazon VPC and Security Groups: Designing Secure Network Boundaries

Network design questions are among the trickiest on the exam. This module walks through Amazon VPC constructs and shows how to use security groups and related controls to isolate and protect workloads.

27 min readen

Big Picture: VPCs as Your Private Data Center in AWS

VPC = Your Private Network

An Amazon VPC is your logically isolated part of the AWS network where you control IP ranges, subnets, routing, and traffic controls, similar to a virtual data center you configure.

Shared Responsibility

Under the shared responsibility model, AWS secures the cloud, while you secure configurations in the cloud. VPC design is a major part of your responsibility area.

What This Module Covers

We will cover VPC building blocks, security groups, network ACLs, public vs private subnet patterns, and VPC endpoints, all framed through the AWS Well-Architected security pillar.

Core VPC Building Blocks: CIDR, Subnets, and Route Tables

VPC and CIDR

A VPC has a CIDR block such as `10.0.0.0/16`. This defines your private IP range and is not directly reachable from the public internet.

Subnets in AZs

Subnets are smaller ranges inside the VPC CIDR, each in a single Availability Zone. Resources like EC2 and RDS live in subnets, not directly in the VPC.

Route Tables Decide Paths

Each subnet uses one route table. Routes can point to local (VPC), an Internet Gateway, a NAT Gateway, peering, Transit Gateway, or VPN to decide where traffic goes.

Public vs Private by Routing

A subnet is effectively public if its route table points to an Internet Gateway, and private if it does not have an IGW route (often using a NAT Gateway instead).

Internet Gateways, NAT Gateways, and Public vs Private Subnets

Internet Gateway Basics

An Internet Gateway attaches to a VPC and is the route target for internet traffic. Public subnets send `0.0.0.0/0` to the IGW.

When Is an Instance Public?

An instance is internet-reachable only if it is in a subnet with an IGW route, has a public IP or Elastic IP, and security controls allow the traffic.

NAT Gateway Role

A NAT Gateway in a public subnet lets instances in private subnets initiate outbound internet access while blocking unsolicited inbound connections.

Public vs Private Usage

Public subnets host entry points like ALBs and bastions. Private subnets host app and database tiers that should not be directly reachable from the internet.

Security Groups: Your Primary Stateful Firewall

Stateful by Design

Security groups are stateful: if inbound traffic is allowed, return traffic is automatically allowed, even if outbound rules do not explicitly permit that port.

Attached to ENIs

SGs are attached to network interfaces, not just EC2. They also protect RDS, load balancers, and other ENI-based services in your VPC.

Allow Rules Only

You can only add allow rules to a security group. By default, inbound is denied, outbound is allowed, and you tighten access by adding specific rules.

Rule Building Blocks

Each SG rule defines direction, protocol, ports, and a source/destination, which can be a CIDR block or another security group for layered access control.

Designing Layered Security Groups for a 3-Tier Web App

3-Tier Layout

Imagine ALBs and NAT Gateways in public subnets, app EC2 instances in private app subnets, and RDS in private DB subnets across at least two Availability Zones.

SG-ALB Rules

SG-ALB allows inbound 80/443 from `0.0.0.0/0` and outbound 80/443 to the app tier SG, exposing only the load balancer to the internet.

SG-APP Rules

SG-APP allows inbound app ports only from SG-ALB, and outbound DB port (e.g., 3306) to SG-DB, plus HTTPS to the internet via NAT if needed.

SG-DB Rules

SG-DB allows inbound DB port only from SG-APP, so only application instances can talk to the database, not arbitrary hosts in the VPC.

Network ACLs: Stateless Subnet-Level Filters

What NACLs Protect

Network ACLs apply to entire subnets. Every subnet must be associated with one NACL, which filters traffic entering and leaving that subnet.

Stateless and Ordered

NACLs are stateless: you must allow both directions. Rules are evaluated in order, and the first match (allow or deny) decides the outcome.

Allow and Deny

Unlike security groups, NACLs can explicitly deny traffic. The default NACL created with a VPC allows all inbound and outbound traffic.

When to Use NACLs

Use NACLs for coarse subnet-level controls or blocklists. For most app-specific access control, prefer security groups as the primary mechanism.

Quiz 1: Security Groups vs NACLs

Check your understanding of how security groups and network ACLs differ.

Which statement is MOST accurate for an exam scenario where you must tightly control which EC2 instances can connect to an RDS database?

  1. Use a network ACL on the DB subnet to allow the DB port only from the app subnet CIDR.
  2. Attach a security group to RDS that allows the DB port from the application servers' security group.
  3. Place RDS in a public subnet and rely on the default security group to block unwanted traffic.
  4. Create a NAT Gateway in the DB subnet and restrict DB access using outbound security group rules.
Show Answer

Answer: B) Attach a security group to RDS that allows the DB port from the application servers' security group.

The best practice is to attach a security group to RDS that allows the DB port only from the application servers' security group. This is fine-grained, instance-level, and automatically applies to new app instances. NACLs are coarser and CIDR-based, placing RDS in a public subnet is poor design, and NAT Gateways are for outbound internet access, not DB protection.

VPC Endpoints: Private Connectivity to AWS Services

Why VPC Endpoints?

VPC endpoints let your VPC privately reach AWS services without Internet Gateways or NAT. Traffic stays on the AWS network, improving security posture.

Gateway Endpoints

Gateway endpoints support S3 and DynamoDB. They integrate via route tables and are often paired with bucket or table policies restricted to a VPC.

Interface Endpoints

Interface endpoints (PrivateLink) create ENIs with private IPs for many AWS and partner services. You secure them using security groups.

Common Exam Clues

If the requirement is 'no internet, no NAT, private access to S3 or DynamoDB', think gateway endpoint. For many other services or SaaS, think interface endpoint.

Design Exercise: Hardening a Simple VPC

Work through this scenario mentally and, if you like, sketch it on paper.

Scenario:

You have a single VPC with CIDR `10.1.0.0/16` in one AWS Region. Currently:

  • One public subnet with an EC2 instance running a web server.
  • The instance has a public IP and uses the default security group (allow all outbound, no inbound).
  • The team wants to add:
  • A private EC2 instance that runs the application logic.
  • An RDS database.
  • Access to S3 for file storage without using the public internet.

Your tasks:

  1. Subnets and routing
  • Decide how many additional subnets you will create and whether they are public or private.
  • Decide where to place the app EC2 and RDS.
  • Decide whether you need a NAT Gateway and where.
  1. Security groups
  • Define at least three security groups: web, app, DB.
  • For each, specify:
  • Inbound rules (ports and sources).
  • Outbound rules (destinations and purposes).
  1. VPC endpoints
  • Choose the type of endpoint you will use so the app and DB can access S3 without traversing the internet.
  • Mention any additional policy you might apply to the S3 bucket.

Reflection prompts:

  • Where is the network boundary between the internet and your workloads?
  • Which components are directly internet-facing, and which are not?
  • How would you explain to an auditor how RDS is protected at both the network and identity layers (VPC + security groups + IAM)?

Quiz 2: Public/Private Subnets and NAT

Test your understanding of public vs private subnets and NAT Gateways.

You have EC2 instances in a private subnet that must download OS updates from the internet, but must never be reachable from the internet. What is the MOST appropriate design?

  1. Assign public IPs to the instances and add inbound deny rules in the security group.
  2. Place a NAT Gateway in a public subnet and add a default route from the private subnet to the NAT Gateway.
  3. Attach an Internet Gateway directly to the private subnet and block inbound traffic with a NACL.
  4. Create an S3 Gateway endpoint so the instances can reach any internet site through S3.
Show Answer

Answer: B) Place a NAT Gateway in a public subnet and add a default route from the private subnet to the NAT Gateway.

The correct approach is to place a NAT Gateway in a public subnet and route the private subnet's default traffic to it. This allows outbound-only internet access. Assigning public IPs or attaching an IGW to the private subnet would expose them, and an S3 endpoint only provides access to S3, not general internet.

Key Term Review: VPC Security Building Blocks

Flip through these cards to reinforce the core concepts before moving on.

Amazon VPC
A logically isolated virtual network in AWS where you define your own IP ranges, subnets, route tables, and network controls, similar to a virtual data center you configure.
Public subnet (effective definition)
A subnet whose route table has a route to an Internet Gateway, allowing resources with public IPs to send and receive traffic from the internet.
Private subnet (effective definition)
A subnet that does not have a direct route to an Internet Gateway. It may use a NAT Gateway for outbound-only internet access.
Internet Gateway (IGW)
A horizontally scaled, redundant VPC component that allows communication between resources in your VPC and the internet, used as a route target in public subnets.
NAT Gateway
A managed service placed in a public subnet that enables instances in private subnets to initiate outbound connections to the internet while preventing unsolicited inbound connections.
Security group
A stateful, instance-level virtual firewall that uses allow-only rules to control inbound and outbound traffic for resources like EC2, RDS, and load balancers.
Network ACL (NACL)
A stateless, subnet-level network filter that supports ordered allow and deny rules for inbound and outbound traffic.
Gateway VPC endpoint
A VPC endpoint type that uses route tables to provide private connectivity from a VPC to services like S3 and DynamoDB without using the internet.
Interface VPC endpoint (PrivateLink)
A VPC endpoint type that provisions ENIs with private IPs in your subnets to privately access many AWS and partner services using AWS PrivateLink.
Shared responsibility model (VPC context)
AWS secures the underlying network infrastructure, while you design and configure VPCs, subnets, routing, security groups, and NACLs to secure your workloads.

Key Terms

Subnet
A subdivision of a VPC CIDR block that resides in a single Availability Zone and holds resources like EC2 instances and RDS databases.
Amazon VPC
A logically isolated virtual network in AWS where you define your own IP ranges, subnets, route tables, and network controls.
CIDR block
An IP address range expressed using Classless Inter-Domain Routing notation, such as 10.0.0.0/16, used to define VPC and subnet ranges.
NAT Gateway
A managed NAT service that enables instances in a private subnet to initiate outbound internet connections while blocking unsolicited inbound connections.
Route table
A set of rules (routes) that determine where network traffic from subnets or gateways is directed.
Security group
A stateful virtual firewall for ENIs that uses allow-only rules to control inbound and outbound traffic at the instance or resource level.
Network ACL (NACL)
A stateless subnet-level network access control list that uses ordered allow and deny rules for inbound and outbound traffic.
Gateway VPC endpoint
A VPC endpoint type that uses route tables to provide private connectivity from a VPC to services such as Amazon S3 and DynamoDB.
Internet Gateway (IGW)
A VPC component that allows communication between resources in your VPC and the internet, and serves as a target in route tables for internet-routable traffic.
Interface VPC endpoint (PrivateLink)
A VPC endpoint type implemented as ENIs with private IPs that provide private connectivity to supported AWS and partner services via AWS PrivateLink.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself