Security Groups & NACLs
Security Groups are stateful virtual firewalls attached to EC2 instances and other resources. NACLs (Network Access Control Lists) are stateless firewalls attached to subnets. Together they provide layered network security.
Security Group is a hotel keycard — your room's door remembers you left so it lets you back in (stateful). NACL is a checkpoint guard — you need a pass to get in AND a different pass to get out (stateless).
Security Groups: stateful (return traffic automatically allowed), support only allow rules (deny is implicit), evaluated as a whole (all rules), applied at the instance level. NACLs: stateless (return traffic must be explicitly allowed), support both allow and deny rules, rules evaluated in numbered order (lowest first), applied at the subnet level. Typical setup: NACLs for broad subnet-level blocks (blocking a bad IP range), Security Groups for fine-grained instance-level rules.
Security Group references: instead of specifying IP ranges, reference another Security Group as a source/destination. This is the canonical pattern for inter-tier communication: the app-tier SG allows inbound on port 8080 from the load-balancer SG — as instances scale, no IP changes needed. Security Groups are region-scoped but VPC-specific. You can reference Security Groups in a peered VPC. NACLs have ephemeral ports consideration: clients use random high ports (1024–65535) for return traffic — NACL outbound rules must allow this range for stateless connections. NACL rules are evaluated numerically; a DENY rule at 100 blocks before an ALLOW at 200.
Security Groups are stateful instance-level firewalls — return traffic is automatically permitted. NACLs are stateless subnet-level firewalls where you must explicitly allow both inbound and outbound, including ephemeral return ports. I use Security Group references for inter-tier rules rather than IPs, so scaling doesn't require rule updates. NACLs are for coarse subnet-level blocking (specific IP ranges, emergency blocks).
Forgetting that NACLs are stateless. If you allow inbound HTTP (port 80), you must also allow outbound on ephemeral ports (1024–65535) for return traffic. Security Groups don't have this problem — they're stateful.