AWS Classroom Series – 27/Oct/2019

Security in AWS VPC

Layered Security

  • Security At Subnet
  • Security At Network Interface

Network ACL

  • Is Security at subnet level.
  • Here you write rules. Rules for ALLOW and DENY can be written.
  • When you create a VPC, a default NACL is created which allows everything in both directions.
  • Here for Rules we have priority
  • Rules are broken down to two kinds
    • Incoming (Inbound, Ingress)
    • Outgoing (Outbound, Egress)
  • When you write a rule
    • IP Address (Source IP or Destination IP): We use CIDR ranges to enter ip address rules. For eg 100.10.0.0/16 means any machine with 100.10.x.x, 0.0.0.0/0 means anywhere, 100.100.10.10/32 means only single ip 100.100.10.10
    • Protocol: TCP/UDP/ICMP etc..
    • Port: which port number to consider
    • ACTION: ALLOW/DENY
  • If you have not written the rule it becomes deny by default (bcoz of priority evaluations)
  • Scope of Network ACL is VPC, it means NACLs create for one VPC cannot be used in other VPCS (you need to recreate)
NACL Rule Evaluation
  • Important things to consider:
    • * is Lowest Priority
    • 100 is Highest Priority
    • Lower the number higher the priority
  • Whenever incoming Traffic is recived on subnet, Evaluation starts from Highest Priority Rule in your NACL
    • Is this rules IP matching with Source IP. If no go to next rule. If yes continue
    • Is this rules Protocol matching with the request. If no got the next rule. If yes continue
    • Is this rules Port number matching with the request. If no go to the next rule. If yes continue
    • If this rules action is ALLOW/DENY, ALLOW/DENY the packet and stop process further

Security Group

  • It is Security at ENI(Elastic Network Interface) Level
  • Here you write rules only for ALLOW
  • Rules are broken down to two kinds
    • Incoming (Inbound, Ingress)
    • Outgoing (Outbound, Egress)
  • When you write a rule
    • IP Address (Source IP or Destination IP): We use CIDR ranges to enter ip address rules. For eg 100.10.0.0/16 means any machine with 100.10.x.x, 0.0.0.0/0 means anywhere, 100.100.10.10/32 means only single ip 100.100.10.10
    • Protocol: TCP/UDP/ICMP etc..
    • Port: which port number to consider
  • Scope of Security Group is VPC, it means Security Group create for one VPC cannot be used in other VPCS (you need to recreate)

Exercise

  • Create NACL rules which allows ssh to all incoming and everything outgoing in your vpc
  • Attach NACL to all of your subnets
  • Create two Security group which allows ssh and which doesnt have a rule about ssh in your vpc
  • Now create a ec2 machine with allow ssh security group.
  • Now create one more ec2 machine with deny ssh security group
  • Check the connectivity
  • In your ec2 machines install apache server
# ubuntu
sudo apt-get update
sudo apt-get install apache2 -y

# centos/redhat
sudo yum install httpd
sudo service httpd start

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%