Security Groups and NACL
- AWS has a layered security. One layer at the network interface level and other at the subnet level
- Security at the network interface level is Security Group
- Security at the subnet level is Network ACL
Security Groups
- They have inbound and outbound rules
- You can enter only ALLOW Rules
- For any network packet
- Source ( is checked for inbound)
- Destination (is checked for outbound rules)
- Protocol
- Port
- For every VPC created we have a default security group
Network ACLs (NACL)
- They have inbound and outbound rules
- They have ALLOW and DENY Rules
- They have priority also
- For any network packet
- Source ( is checked for inbound)
- Destination (is checked for outbound rules)
- Protocol
- Port
- For every VPC created we get a default NACL
- Best Practices:
- Donot write rules with consecutive number. Ensure there is atleast a gap of 10 numbers b/w
- Try to write deny rules for specific ip address on the top
Exercise:
- Create a VPC with two public subnets
- All traffic should be allowed to ec2 machine in subnet1 (security group)
- Create a NACL for Subnet 2
- It allows http and ssh connections from subnet1
- No other connections from internet
