CONCEPT Cited by 1 source
Security-group chaining¶
Definition¶
Security-group chaining is a VPC network design where each tier's security group allows inbound traffic only from the security group of the preceding tier, forming a directed chain from edge to compute. Traffic cannot skip tiers because no tier's security group trusts anything except its immediate upstream neighbor.
Why it matters¶
Without chaining, an attacker who compromises a middle tier (or bypasses the edge) can reach compute directly. With chaining, the chain itself is a defense-in-depth control: even if CloudFront is bypassed (e.g., someone discovers the ALB's DNS name), the ALB security group only allows traffic from the CloudFront managed prefix list — direct access fails at the VPC packet filter.
Canonical instance¶
The 2026-06-29 AWS dual-token authentication reference architecture uses a two-rule security-group chain:
- ALB SG: inbound allowed only from the CloudFront managed prefix list.
- NLB SG: inbound TCP 7350 allowed only from the CloudFront managed prefix list.
- ECS task SG: inbound port 7350 allowed only from the ALB SG (HTTP API) and from the NLB SG (WebSocket).
The chain guarantees: Internet → CloudFront → WAF → ALB/NLB → ECS. No hop can be skipped.
An additional application-layer check reinforces the chain: CloudFront sends an
X-CloudFront-Secret header on every request; ALB listener rules reject any
request missing the correct value.
(Source: sources/2026-06-29-aws-dual-token-authentication-for-nakama-game-servers)
General shape¶
Internet → Edge (CDN/WAF)
↓ SG: only CDN prefix list
Load Balancer (ALB or NLB)
↓ SG: only LB SG
Compute (ECS / EKS / EC2)
↓ SG: only compute SG
Data store (RDS / DynamoDB endpoint)
Each arrow is a security-group reference (source: sg-xxx), not a CIDR.
CIDR-based rules require manual updates when IP ranges change; SG references
are self-maintaining.
Seen in¶
- sources/2026-06-29-aws-dual-token-authentication-for-nakama-game-servers — CloudFront → ALB/NLB → ECS chain