Firewalls and Network Security — Networking Basics for Cloud Certifications | CertQnA

Firewalls are the gatekeepers of network traffic. Understanding how they work — and how AWS implements them — is essential for designing secure cloud architectures and passing cloud certification exams.

What is a Firewall?

A firewall is a network security device (hardware or software) that monitors and controls incoming and outgoing network traffic based on predetermined rules. Rules typically define:

Source IP / CIDR
Destination IP / CIDR
Protocol (TCP, UDP, ICMP)
Port or port range
Action: Allow or Deny

Stateful vs Stateless Firewalls

Stateful Firewalls

Track the state of network connections. If you allow outbound TCP on port 443, the firewall automatically allows the return traffic for that established connection — even if there's no explicit inbound rule allowing it.

More intelligent, easier to configure
Examples: AWS Security Groups, iptables with connection tracking, modern NGFWs

Stateless Firewalls

Evaluate each packet independently without context of connection state. Return traffic requires explicit rules. They're faster for high-throughput but require more care to configure correctly.

Examples: AWS Network ACLs, traditional ACL-based routers
Must explicitly allow both request traffic AND ephemeral ports for return traffic

AWS Security Groups

Security Groups are virtual stateful firewalls attached to EC2 instances, RDS, load balancers, Lambda functions, and other resources.

Applied at the ENI (Elastic Network Interface) level — not subnet level
Stateful: return traffic automatically allowed
Rules are allow only — there are no explicit deny rules
All rules are evaluated — if any rule allows traffic, it's allowed
Can reference other Security Groups as source/destination (instead of CIDR)

Inbound rules for web-server-sg:
  Allow TCP 80   from 0.0.0.0/0       # HTTP from anywhere
  Allow TCP 443  from 0.0.0.0/0       # HTTPS from anywhere
  Allow TCP 22   from 10.0.0.0/8      # SSH from internal only

Outbound rules (default):
  Allow all traffic to 0.0.0.0/0     # allow all outbound

Security Group chaining: Allow the application SG to receive traffic only from the load balancer SG:

app-sg inbound:
  Allow TCP 3000 from alb-sg    # source is a security group, not CIDR

AWS Network ACLs (NACLs)

NACLs are stateless packet filters at the subnet level. Every subnet in a VPC is associated with one NACL (default: allow all).

Stateless: must configure both inbound and outbound rules
Rules are evaluated in ascending numeric order; first match wins
Supports both Allow and Deny rules
Applied at subnet level — affects all resources in the subnet

Inbound NACL rules:
  Rule 100: ALLOW TCP  443  from 0.0.0.0/0
  Rule 110: ALLOW TCP  80   from 0.0.0.0/0
  Rule 120: ALLOW TCP  1024-65535 from 0.0.0.0/0   # ephemeral ports for return traffic
  Rule *  : DENY  ALL  ALL  from 0.0.0.0/0          # implicit deny all

NACLs and ephemeral ports: Because NACLs are stateless, return traffic for connections initiated from within the subnet uses ephemeral ports (1024–65535). You must explicitly allow these inbound if your NACL is restrictive.

Security Groups vs NACLs

	Security Group	NACL
Level	Instance/ENI	Subnet
Stateful	Yes	No
Rules	Allow only	Allow and Deny
Rule evaluation	All rules	In order (first match)
Default	Deny all inbound, allow all outbound	Allow all

Web Application Firewalls (WAF)

WAFs operate at Layer 7 (HTTP/HTTPS) and can inspect and block traffic based on request content:

Block SQL injection, XSS, path traversal attempts
Rate limiting per IP
Geo-blocking
Bot detection
OWASP Top 10 managed rule groups

AWS WAF integrates with CloudFront, ALB, API Gateway, and AppSync. It uses rules and rule groups — you can use AWS Managed Rules or write your own.

Next: Load balancers and CDNs — how traffic is distributed across instances and served efficiently from edge locations.