AWS VPC Contd..
- Lets create a private route table and associate with app and db subnets
- In the current state, we have
- two subnets web and mgmt which are public.
- two subnets app and db which are private.
- EC2 instances in the web and mgmt subnet can be accessed from internet. But accessing from internet should not happen on all ports or to all the ip addresses.
- So now, lets understand how to expose only tcp port 80 (http) and 443 (https) to every one as our application is running on that ports
- So now we need a layer of protection around network interface to allow only http and https port to everyone , 22 port only to organization ip addresses.
- AWS has two level of security for this
- Security Around subnets: NetworkACL
- Security Around Network interfaces: Security Group
- For the incoming packet (ingress) first NACL check will be performed and then Security Group check will be performed & viceversa for outgoing packet (egress).
- NACL is create to give common protection around to all the interfaces (instances) connected to subnet
- Security Group is created to give a specific protection to the interface (instance)
- In Security Group by default all the communication is closed, we write rules only to allow.
- In NACL we can write deny and allow rules.
- Securtity groups and network acls are created at vpc level.
- When we create a vpc a default security group and a default nacl are created.
- Default Security group:
- Allow all traffic from security group is default incoming rule
- allow all outgoing traffic to anywhere is default outgoing rule
- Allow all traffic from security group is default incoming rule
- Lets create a security group to open 80 port and 443 port for any one to connect (incoming). Open 22 port only to your client ip
- Now lets create a ec2 instance in web subnet and assign this security group
- Now lets login into ec2 instance and install apache server(80) and tomcat (8080)
sudo apt update
sudo apt install apache2 tomcat9 -y
- Now access apache server
- Now lets access tomcat server & it should fail bcoz no rule for 8080 is written in security group => deny 8080
- Now lets try to ping the server
- For the ping to work, you need to open icmp protocol access in the security group
- Default NACL rule: Is to allow all incoming and outgoing traffic. This NACL is associated by defualt to all subnets in your vpc.
- If we want to write custom nacl rules, then
- NACL has both allow and deny rules
- Every rule has rule # (rule no) which defines priority. Lower the rule number higher the priority
- Rules are evaluated on priority, protocol, ip range and ports
- To easily understand NACL & Sg refer below image