Firewalls & Security Groups
Stateless vs stateful firewalls
- Stateless: rules evaluated per packet; return traffic must be explicitly allowed.
- Stateful: tracks connections; return traffic is automatically allowed once a flow is permitted.
Inbound vs outbound rules
- Inbound: what can reach your resource.
- Outbound: what your resource can reach.
- Least privilege applies to both directions (especially outbound in zero-trust setups).
Security groups vs NACLs (cloud concept)
- Security groups: instance/ENI-level, typically stateful, allow rules only.
- NACLs: subnet-level, typically stateless, allow + deny rules.
- Use NACLs for coarse subnet guardrails; SGs for fine-grained workload policy.
Port-based filtering
- Most policies use destination port/protocol (e.g., allow TCP 443).
- Remember ephemeral ports for return traffic if using stateless filters.
Basic network security model
- Segment networks (subnets), restrict ingress, control egress, and log flows.
- Combine network controls with identity controls (mTLS/IAM) for defense-in-depth.