AWS Classroom Series – 01/Nov/2020

AWS VPC Contd..

  • Lets create a private route table and associate with app and db subnets Preview Preview Preview
  • In the current state, we have
    • two subnets web and mgmt which are public.
    • two subnets app and db which are private.
  • EC2 instances in the web and mgmt subnet can be accessed from internet. But accessing from internet should not happen on all ports or to all the ip addresses.
  • So now, lets understand how to expose only tcp port 80 (http) and 443 (https) to every one as our application is running on that ports
  • So now we need a layer of protection around network interface to allow only http and https port to everyone , 22 port only to organization ip addresses.
  • AWS has two level of security for this
    • Security Around subnets: NetworkACL
    • Security Around Network interfaces: Security Group Preview
  • For the incoming packet (ingress) first NACL check will be performed and then Security Group check will be performed & viceversa for outgoing packet (egress).
  • NACL is create to give common protection around to all the interfaces (instances) connected to subnet
  • Security Group is created to give a specific protection to the interface (instance)
  • In Security Group by default all the communication is closed, we write rules only to allow.
  • In NACL we can write deny and allow rules.
  • Securtity groups and network acls are created at vpc level.
  • When we create a vpc a default security group and a default nacl are created.
  • Default Security group:
    • Allow all traffic from security group is default incoming rule Preview
    • allow all outgoing traffic to anywhere is default outgoing rule Preview
  • Lets create a security group to open 80 port and 443 port for any one to connect (incoming). Open 22 port only to your client ip Preview Preview Preview Preview
  • Now lets create a ec2 instance in web subnet and assign this security group Preview Preview
  • Now lets login into ec2 instance and install apache server(80) and tomcat (8080)
sudo apt update
sudo apt install apache2 tomcat9 -y
  • Now access apache server Preview
  • Now lets access tomcat server & it should fail bcoz no rule for 8080 is written in security group => deny 8080 Preview
  • Now lets try to ping the server Preview
  • For the ping to work, you need to open icmp protocol access in the security group Preview Preview
  • Default NACL rule: Is to allow all incoming and outgoing traffic. This NACL is associated by defualt to all subnets in your vpc. Preview Preview
  • If we want to write custom nacl rules, then
    • NACL has both allow and deny rules
    • Every rule has rule # (rule no) which defines priority. Lower the rule number higher the priority
    • Rules are evaluated on priority, protocol, ip range and ports
  • To easily understand NACL & Sg refer below image Preview

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin