Network Security Architecture
Explore how to design robust network security architectures in AWS by layering security groups, network ACLs, AWS Network Firewall, WAF, and Shield Advanced. Understand their roles, differences, and best practices for multi-account enterprise environments to ensure resilience, compliance, and threat protection across the network stack.
Enterprise AWS environments demand more than a single firewall or access control list. When dozens of accounts, hundreds of VPCs, and globally distributed applications converge, network security must operate as a coordinated system of controls spanning the edge, the VPC boundary, the subnet, and the individual workload. The AWS Certified Solutions Architect – Professional exam tests your ability to design these layered architectures, select the right control at the right layer, and understand the trade-offs between centralized governance and distributed simplicity. This lesson builds that architecture from the ground up.
Layered network security in AWS
Defense in depth is the foundational principle behind AWS network security architecture. Rather than relying on a single perimeter, multiple controls operate at different layers of the network stack, each filtering traffic with a distinct scope and behavioral model. If one layer is misconfigured or bypassed, the next layer still enforces its rules independently.
AWS provides three primary network security controls that architects must layer correctly. Security groups operate as stateful firewalls attached to elastic network interfaces (ENIs), filtering traffic at the instance and service level. Network ACLs provide stateless filtering at the subnet boundary, evaluating traffic independently in each direction. AWS Network Firewall delivers centralized deep packet inspection at the VPC or Transit Gateway level for enterprise-scale traffic filtering and threat detection.
SAP-C02 scenarios require you to understand when each control is appropriate and how they complement, rather than replace, each other. A common exam distractor treats these services as interchangeable, for example, using NACLs as the primary workload protection mechanism instead of security groups. The behavioral difference between stateful and stateless controls, and their placement within VPC topology, determines which combination satisfies a given security requirement.
The following table clarifies these distinctions across the dimensions that matter most for architectural decisions.
AWS Network Security Controls Comparison
Attribute | Security Groups | Network ACLs | AWS Network Firewall |
Layer of Operation | Instance/ENI level | Subnet level | VPC/Transit Gateway level |
Statefulness | Stateful | Stateless | Stateful inspection |
Rule Evaluation Order | All rules evaluated (no numbering) | Numbered priority, first-match wins | Rule groups with hierarchical evaluation |
Default Behavior | Deny all inbound, allow all outbound | Default ACL: allow all; Custom ACL: deny all | Configurable default actions |
Use Case Alignment | Workload boundaries | Subnet isolation | Centralized inspection |
Return Traffic Handling | Automatic | Explicit rules required | Automatic via stateful inspection |
SAP-C02 Scenario Application | Instance-level access control (SSH, HTTP/S) | Subnet-level traffic restrictions | Intrusion prevention/detection across VPC |
Cost Implications | No additional cost | No additional cost | Data processing charges apply |
With these distinctions established, the next sections examine how security groups and network ACLs work together in practice before scaling to centralized inspection.
Security Groups and Network ACLs in practice
Security groups and network ACLs work together to enforce layered network protection, combining stateful workload-level controls with stateless subnet-level filtering.
Security groups as the primary workload boundary
Security groups are the primary mechanism for controlling traffic to AWS resources, including EC2 instances, RDS databases, Lambda functions running inside VPCs, and Application Load Balancers. Their stateful nature means that when an inbound request is allowed, the return traffic is automatically permitted regardless of outbound rules. This eliminates an entire class of misconfiguration errors common with stateless filters.
Security groups use an allow-only rule model with no explicit deny capability. All rules are ...