Tutorials AWS Mastery for .NET Architects

Security Groups vs Network ACLs: Handling traffic for .NET apps

On this page

Firewalls in the Cloud

AWS has two layers of network security. Knowing which one to use is the mark of a Senior Architect.

1. Security Groups (The Smart Firewall)

Security Groups act at the Instance Level (like a firewall for your PC). They are Stateful—if you allow traffic in on port 80, the response is automatically allowed out. Most of your daily security work happens here.

2. Network ACLs (The Gatekeeper)

NACLs act at the Subnet Level. They are Stateless—you must explicitly allow both Inbound and Outbound traffic. NACLs are your 'Last Line of Defense' used to block specific malicious IP addresses at the border.

FeatureSecurity GroupNetwork ACL
TargetInstance/ENISubnet
TypeStatefulStateless
Rule OrderAll evaluatedProcessed in order

3. Architect Insight

Q: "How many Security Groups should I have?"

Architect Answer: "Use a **Security Group Chain**. Create one SG for your Load Balancer (allow 80/443). Create another SG for your .NET API that ONLY allows traffic from the 'Load Balancer SG'. This ensures no one can bypass your LB and talk to your API directly."

Questions on this lesson 0

Sign in to ask a question or upvote helpful answers.

No questions yet — be the first to ask!

AWS Mastery for .NET Architects
Course syllabus
1. AWS Global Infrastructure
2. Compute for .NET
3. Storage & Databases
4. Networking & Content Delivery
5. Security & Compliance
6. Messaging & Events
7. Monitoring & DevOps
8. Optimization & Scale
Toolliyo Assistant
Ask about tutorials, ebooks, training, pricing, mentor services, and support. I use public site content only—not admin or internal tools.

care@toolliyo.com

Need callback? Share your details