AWScloud~30 mins

Security groups vs NACLs decision in AWS - Hands-On Comparison

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Security Groups vs NACLs Decision

📖 Scenario: You are setting up network security for a small web application hosted on AWS. You need to control which traffic can reach your servers and which traffic can leave your network.Two common AWS tools for this are Security Groups and Network Access Control Lists (NACLs). You will create simple configurations to understand how each works.

🎯 Goal: Build basic AWS configurations for a Security Group and a Network ACL to control inbound and outbound traffic for your web servers.

📋 What You'll Learn

Create a Security Group named web-sg that allows inbound HTTP traffic on port 80 from anywhere

Create a Network ACL named web-nacl that allows inbound HTTP traffic on port 80 and denies all other inbound traffic

Add outbound rules to both Security Group and Network ACL to allow all outbound traffic

Use exact resource names and rule specifications as described

💡 Why This Matters

🌍 Real World

In real AWS environments, Security Groups and Network ACLs work together to protect resources. Security Groups act like firewalls attached to instances, while Network ACLs control traffic at the subnet level.

💼 Career

Understanding how to configure Security Groups and Network ACLs is essential for cloud security roles, network engineering, and AWS architecture positions.

Progress0 / 4 steps

Create Security Group with inbound HTTP rule

Create a Security Group named web-sg with an inbound rule allowing TCP traffic on port 80 from 0.0.0.0/0.

AWS

# Create a Security Group named web-sg with inbound HTTP rule
# Your code here

Need a hint?

Use resource "aws_security_group" "web_sg" and define an ingress block with port 80 and protocol TCP.

Add outbound rule to Security Group

Add an outbound rule to the web-sg Security Group that allows all outbound traffic (all ports, all protocols) to anywhere.

AWS

resource "aws_security_group" "web_sg" {
  name        = "web-sg"
  description = "Allow inbound HTTP traffic"

  ingress {
    description      = "HTTP from anywhere"
    from_port        = 80
    to_port          = 80
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  # Add outbound rule to allow all traffic
  # Your code here
}

Need a hint?

Add an egress block with protocol = "-1" and ports 0 to 0 to allow all outbound traffic.

Create Network ACL with inbound HTTP allow and deny all else

Create a Network ACL named web-nacl with an inbound rule that allows TCP traffic on port 80 from 0.0.0.0/0 and a rule that denies all other inbound traffic.

AWS

# Create a Network ACL named web-nacl
# Add inbound allow rule for HTTP port 80
# Add inbound deny rule for all other traffic
# Your code here

Need a hint?

Use resource "aws_network_acl" "web_nacl" with two ingress blocks: one to allow port 80 TCP, one to deny all.

Use protocol 6 for TCP and -1 for all protocols.

Add outbound allow rule to Network ACL

Add an outbound rule to the web-nacl Network ACL that allows all outbound traffic (all ports, all protocols) to 0.0.0.0/0.

AWS

# Add outbound rule to web-nacl to allow all traffic
# Your code here

Need a hint?

Add an egress block with rule_action = "allow", protocol = "-1", and ports 0 to 0 to allow all outbound traffic.