AWS Certified Solutions Architect - Associate (SAA-C03) #4 Domain 1-3 Secure Architectures — VPC Security

6 min read

In #3 KMS and Encryption we protected the data itself; this time we deal with the network boundary that data travels across. VPC security is the foundation underlying nearly every architecture question on SAA. Requirements like “how do you access a DB in a private subnet?” and “reach S3 without going over the internet” all hinge on this.

Security group vs. network ACL #

A VPC has two layers of firewall. The difference between them shows up on the exam almost every time.

AspectSecurity GroupNetwork ACL (NACL)
Operates atInstance (ENI) levelSubnet level
StateStateful (responses auto-allowed)Stateless (responses need rules too)
Rule typesAllow onlyAllow + Deny
Rule evaluationAll rules combinedIn number order, first match applies
DefaultsInbound blocked, outbound allowedThe default NACL allows everything

Stateful vs. stateless is the crux #

A security group is stateful. If you allow an inbound flow, the response (outbound) is automatically allowed without a rule. A NACL, conversely, is stateless — even if you allow incoming traffic, you have to open a separate rule for the outgoing response. Since the response goes out on an ephemeral port (usually 1024–65535), blocking that port range outbound in the NACL breaks the communication.

If you need Deny, it’s NACL #

A security group can only create Allow rules. A requirement to “block a single specific IP” is impossible with a security group and is handled with a NACL Deny rule. When the exam mentions “block a malicious IP” or “deny a specific range,” NACL is the answer.

VPC Endpoint — access without going over the internet #

When an instance in a private subnet accesses an AWS service like S3, going through an internet gateway or NAT means the traffic leaves the AWS network and comes back. A VPC Endpoint lets it reach the service while keeping the traffic inside AWS. There are two kinds.

KindTargetsMechanismCost
Gateway EndpointS3, DynamoDB onlyAdds a route to the route tableFree
Interface EndpointMost AWS servicesCreates an ENI (private IP) in the subnetHourly + data charge

The most frequently missed point is that the Gateway Endpoint is only for S3 and DynamoDB. To reach other services like SQS, KMS, or Systems Manager privately, you have to use an Interface Endpoint. Interface Endpoints use PrivateLink technology internally.

PrivateLink — exposing your own service privately #

PrivateLink is a way to expose a service to another VPC without VPC peering and without going over the internet. The structure looks like this.

  • The service provider puts the service behind a Network Load Balancer and registers it as an Endpoint Service.
  • The consumer creates an Interface Endpoint in their own VPC to connect to that service.
  • The two VPCs’ CIDRs may overlap, and the two networks aren’t routed to each other directly.

When the requirement is “provide our service into a customer’s VPC in a SaaS fashion, without peering or public exposure,” PrivateLink is the answer. Where VPC peering connects two entire VPCs by routing, PrivateLink exposes only a single specific service.

Distinguishing it from VPC peering #

MethodConnection scopeCharacteristics
VPC peeringWhole VPC ↔ whole VPC1:1, non-transitive, CIDRs can’t overlap
PrivateLinkOnly a specific serviceCIDRs may overlap, one-way exposure
Transit GatewayA hub for many VPCsConnects many VPCs centrally

VPC peering is not transitive. Even if A-B and B-C are peered, A can’t reach C directly. To weave many VPCs together, Transit Gateway is the answer.

Accessing private instances — bastion vs. Session Manager #

There are two ways for an administrator to connect to an instance in a private subnet.

  • Bastion host (jump box) — place a jump server in a public subnet and SSH from there into the private instance. Since you have to open inbound SSH (22) on the bastion, an attack surface appears.
  • Systems Manager Session Manager — without a bastion, connect to a shell using IAM permissions while opening no inbound port at all. No SSH key management needed, and connection records are kept.

When the exam gives a cue like “access a private instance securely without opening an inbound port,” Session Manager is the modern answer.

VPC Flow Logs #

VPC Flow Logs send the metadata of IP traffic going in and out of an ENI (source/destination IP and port, protocol, allow/deny, byte count) to CloudWatch Logs or S3. They’re used for security auditing and tracking down traffic problems.

An important limitation: Flow Logs don’t capture the packet payload. They show “who communicated with whom, on which port, and whether it was allowed or denied” — not “what data was exchanged.” If you need to see the packet contents too, you need Traffic Mirroring.

Exam question patterns #

  • Block a specific IP.” → NACL Deny rule (a security group can’t Deny)
  • “Is a security group stateful or stateless?” → Stateful (responses auto-allowed). A NACL is stateless
  • “A private instance accesses S3 without the internet.” → Gateway Endpoint (free)
  • “A private instance accesses SQS/KMS privately.” → Interface Endpoint (PrivateLink)
  • “Provide our service into a customer VPC without peering.” → PrivateLink + NLB
  • “Connect many VPCs centrally.” → Transit Gateway
  • “Connect to a private instance without an inbound port.” → Session Manager
  • Audit network traffic flows.” → VPC Flow Logs

Common traps #

1) Trying to create a Deny with a security group #

A security group has Allow rules only. Blocking is the NACL.

2) Treating a NACL as stateful #

A NACL is stateless, so you have to open the response traffic’s ephemeral port separately. Open only inbound and block outbound and the communication breaks.

3) Trying to reach every service via a Gateway Endpoint #

A Gateway Endpoint is only for S3 and DynamoDB. Everything else is an Interface Endpoint.

4) Thinking VPC peering is transitive #

Peering is non-transitive. Even with A-B-C, A can’t reach C directly.

5) Seeing packet contents with Flow Logs #

Flow Logs only show metadata. Content capture is Traffic Mirroring.

Wrap-up #

What this post locked in:

  • Security group — instance level, stateful, Allow only. NACL — subnet level, stateless, Allow + Deny, ordered evaluation
  • When you need Deny, it’s NACL. A security group can’t do it
  • Gateway Endpoint — S3/DynamoDB only, free. Interface Endpoint — other services, PrivateLink-based
  • PrivateLink — exposes only a specific service privately without peering. Peering is non-transitive; TGW is a hub for many VPCs
  • Private access — Session Manager instead of a bastion (no inbound port needed)
  • Flow Logs — audit of traffic metadata (contents not included)

Next — Domain 1-4 WAF , Shield , Cognito #

With the network boundary in hand, the last topic of the security domain is application-layer protection and user authentication.

#5 Domain 1-4 WAF , Shield , Cognito , Secrets Manager covers WAF web ACLs and rules, the difference between Shield Standard and Advanced, the role distinction between Cognito User Pool and Identity Pool, and a comparison of Secrets Manager and Parameter Store.

X