Security Groups vs NACLs
- SG: stateful, allow-only rules, instance/ENI level, evaluated as group
- NACL: stateless, allow + deny rules, subnet level, rules processed in order
- SG: no explicit deny — use NACLs to block specific IPs
- Both: 5-tuple filtering (protocol, src IP, src port, dst IP, dst port)
AWS Network Firewall
- Managed stateful + stateless firewall in VPC
- Stateless: 5-tuple rules, processed first, pass/drop/forward to stateful
- Stateful: Suricata-compatible IPS rules, domain filtering, TLS inspection
- Deploy in inspection VPC with TGW for centralized architecture
WAF & Shield
- WAF: Layer 7 filtering on CloudFront, ALB, API Gateway, AppSync
- Rule types: IP set, rate-based, geo match, regex, managed rules
- Shield Standard: free, automatic L3/L4 DDoS protection
- Shield Advanced: paid, L7 protection, DRT support, cost protection
Encryption in Transit
- TLS: ALB/NLB termination, end-to-end with pass-through
- IPSec: Site-to-Site VPN (auto) or between instances (manual)
- MACsec: Layer 2 encryption on 10G/100G Direct Connect (dedicated)
- PrivateLink: traffic stays on AWS network, no internet exposure
Practice Network Security Questions
Put your knowledge to the test with practice questions.