AWS Security Groups vs NACL Explained

TechOps Examples

Hey — It's Govardhana MK 👋

Welcome to another technical edition.

Every Tuesday – You’ll receive a free edition with a byte-size use case, remote job opportunities, top news, tools, and articles.

Every Thursday and Saturday – You’ll receive a special edition with a deep dive use case, remote job opportunities and articles.

👋 Before we begin... a big thank you to today's sponsor AI WITH ALLIE

Ready to go beyond ChatGPT?

This free 5-day email course takes you all the way from basic AI prompts to building your own personal software. Whether you're already using ChatGPT or just starting with AI, this course is your gateway to learn advanced AI skills for peak performance.

Each day delivers practical, immediately applicable techniques straight to your inbox:

• Day 1: Discover next-level AI capabilities for smarter, faster work

• Day 2: Write prompts that deliver exactly what you need

• Day 3: Build apps and tools with powerful Artifacts

• Day 4: Create your own personalized AI assistant

• Day 5: Develop working software without writing code

No technical skills required, no fluff. Just pure knowledge you can use right away. For free.

Get the course

If you’re not a subscriber, here’s what you missed last week.

1. How AWS Blue and Green Deployments Work

2. Understanding Kubernetes Resource Management

To receive all the full articles and support TechOps Examples, consider subscribing:

One-time 50% OFF on all annual plans of memberships. Closes Soon.

IN TODAY'S EDITION

🧠 Use Case

• AWS Security Groups vs NACL Explained

🚀 Top News

• GitLab 18.1 is out with Maven virtual registry (beta), Duo Code Review, compromised password checks etc.,

👀 Remote Jobs

• Social Discovery Group is hiring a Middle DevOps Engineer

  Remote Location: Worldwide

• Tyk Technologies is hiring a Site Reliability Engineer

  Remote Location: Worldwide

📚️ Resources

• Interactive Scenarios for CKAD preparation or learning Kubernetes

• Python Now Supports True Parallelism. Is It Really That Good?

• Docker Stop vs Kill: When to Use Each Command

🛠️ TOOL OF THE DAY

HAMi - Formerly known as 'k8s-vGPU-scheduler', a Heterogeneous device management middleware for Kubernetes.

🧠 USE CASE

AWS Security Groups vs NACL Explained

It is well known that Security Groups are:

• Stateful

• Applied at the instance level

• Allow rules only

• Evaluate all rules before deciding

• Attached to ENIs (Elastic Network Interfaces)

And NACLs are:

• Stateless

• Applied at the subnet level

• Allow and deny rules supported

• Evaluated in rule order from top to bottom

• Operate as a firewall for subnet level traffic

But in real world scenarios, these differences become more than just theory. Here are a few use cases that may give you a realistic experience.

Use Case 1: Health Check Failing Despite All Security Group Rules Set Correctly

An EC2 instance in a private subnet was behind a Load Balancer. Health checks kept failing. SG allowed port 80 from the LB CIDR. Everything looked fine.

Root Cause:
The subnet had a custom NACL that denied all inbound traffic except port 443. Port 80 wasn’t allowed at the NACL level. Since NACLs are stateless, return traffic was also blocked silently.

Fix:
Explicitly added allow rules for both inbound and outbound on port 80 for the health check IP range.

Security Group is not enough. Always match NACL inbound and outbound rules for the same port and CIDR.

Use Case 2: Dev Team Couldn't SSH into Bastion from Corporate IP

A bastion host was deployed in a public subnet to allow developers to SSH into private instances. The Security Group was correctly configured to allow port 22 from the corporate IP range. But all connection attempts were failing without any packet reaching the instance.

Root Cause:
The NACL for the public subnet allowed port 22 from 0.0.0.0/0, intended for temporary open access during initial setup. Later, the team locked down the Security Group to just corporate IPs but never updated the NACL to match. Since NACLs are stateless, return traffic was also dropped.

Fix:
Updated the NACL to allow inbound port 22 and outbound ephemeral ports for the specific corporate IP CIDR.

For SSH, both ingress and return paths must be explicitly allowed in NACLs to match your SG rules.

Use Case 3: Inter subnet Microservice Call Timing Out

Service A in subnet A couldn’t reach Service B in subnet B inside the same VPC. SGs were wide open. VPC Peering was not involved. Still, HTTP calls failed.

Root Cause:
Subnet B’s NACL blocked inbound TCP from subnet A. There was no deny rule, just missing allow. Since NACLs are stateless, response traffic also got dropped.

Fix:
Opened NACL inbound and outbound on required ports and internal CIDRs between both subnets.

Microservice communication within a VPC can silently fail if you assume NACLs are “just open.”

These aren’t edge cases. They happen in well architected setups when assumptions slip.

Always test both, especially when environments change or scale.

Looking to promote your company, product, service, or event to 47,000+ Cloud Native Professionals? Let's work together.