AWS Classroom Series – 27/Oct/2019

Security in AWS VPC

Preview

Layered Security

  • Security At Subnet
  • Security At Network Interface

Network ACL

  • Is Security at subnet level.
  • Here you write rules. Rules for ALLOW and DENY can be written.
  • When you create a VPC, a default NACL is created which allows everything in both directions.
  • Here for Rules we have priority
  • Rules are broken down to two kinds
    • Incoming (Inbound, Ingress)
    • Outgoing (Outbound, Egress)
  • When you write a rule
    • IP Address (Source IP or Destination IP): We use CIDR ranges to enter ip address rules. For eg 100.10.0.0/16 means any machine with 100.10.x.x, 0.0.0.0/0 means anywhere, 100.100.10.10/32 means only single ip 100.100.10.10
    • Protocol: TCP/UDP/ICMP etc..
    • Port: which port number to consider
    • ACTION: ALLOW/DENY
  • If you have not written the rule it becomes deny by default (bcoz of priority evaluations)
  • Scope of Network ACL is VPC, it means NACLs create for one VPC cannot be used in other VPCS (you need to recreate)
NACL Rule Evaluation
  • Important things to consider:
    • * is Lowest Priority
    • 100 is Highest Priority
    • Lower the number higher the priority
  • Whenever incoming Traffic is recived on subnet, Evaluation starts from Highest Priority Rule in your NACL
    • Is this rules IP matching with Source IP. If no go to next rule. If yes continue
    • Is this rules Protocol matching with the request. If no got the next rule. If yes continue
    • Is this rules Port number matching with the request. If no go to the next rule. If yes continue
    • If this rules action is ALLOW/DENY, ALLOW/DENY the packet and stop process further

Security Group

  • It is Security at ENI(Elastic Network Interface) Level
  • Here you write rules only for ALLOW
  • Rules are broken down to two kinds
    • Incoming (Inbound, Ingress)
    • Outgoing (Outbound, Egress)
  • When you write a rule
    • IP Address (Source IP or Destination IP): We use CIDR ranges to enter ip address rules. For eg 100.10.0.0/16 means any machine with 100.10.x.x, 0.0.0.0/0 means anywhere, 100.100.10.10/32 means only single ip 100.100.10.10
    • Protocol: TCP/UDP/ICMP etc..
    • Port: which port number to consider
  • Scope of Security Group is VPC, it means Security Group create for one VPC cannot be used in other VPCS (you need to recreate)

Exercise

  • Create NACL rules which allows ssh to all incoming and everything outgoing in your vpc
  • Attach NACL to all of your subnets
  • Create two Security group which allows ssh and which doesnt have a rule about ssh in your vpc
  • Now create a ec2 machine with allow ssh security group.
  • Now create one more ec2 machine with deny ssh security group
  • Check the connectivity
  • In your ec2 machines install apache server
# ubuntu
sudo apt-get update
sudo apt-get install apache2 -y

# centos/redhat
sudo yum install httpd
sudo service httpd start
  • try to access your server from browser http://<publicip>

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner