Security to subnet and EC2 instances
- Security to EC2 instances (Network Interface) is provided using Security Groups
- Security to Subnet is Provided using Network ACL (NACL)
Security Group
- It is assigned to ENI
- In Security group by default everything is denied
- You can write rules to only allow
- Security Group rules are created at vpc level
- When we create a vpc a default security group is created
- Lets create one Security Group rule which allows 80 and 22 port from any one
- Protocols => TCP, UDP, ICMP
- PORTS
- TO WHOM => 0.0.0.0/0 (Anyone), x.x.x.x/32 (specific ip), x.x.0.0/16(cidr range)
- This sg can be applied to any ec2 instance created in the vpc
Network ACL (NACL)
- It is applied at subnet level
- Here you can create allow as well deny rules
- Rules will have priority associated with number, lower the number higher the priority
- NACL also belongs to VPC
- Lets create one nacl to allow 22,80,443 from internet, all traffic from with in vpc and deny rest of the traffic from internet
- Rules can be between 1 and 32766, It is always a good idea to leave some numbers b/w rules
- By Default AWS creates one default vpc with allow all incoming and outgoing rules