AWS Classroom Series – 01/Nov/2020

AWS VPC Contd..

  • Lets create a private route table and associate with app and db subnets
  • In the current state, we have
    • two subnets web and mgmt which are public.
    • two subnets app and db which are private.
  • EC2 instances in the web and mgmt subnet can be accessed from internet. But accessing from internet should not happen on all ports or to all the ip addresses.
  • So now, lets understand how to expose only tcp port 80 (http) and 443 (https) to every one as our application is running on that ports
  • So now we need a layer of protection around network interface to allow only http and https port to everyone , 22 port only to organization ip addresses.
  • AWS has two level of security for this
    • Security Around subnets: NetworkACL
    • Security Around Network interfaces: Security Group
  • For the incoming packet (ingress) first NACL check will be performed and then Security Group check will be performed & viceversa for outgoing packet (egress).
  • NACL is create to give common protection around to all the interfaces (instances) connected to subnet
  • Security Group is created to give a specific protection to the interface (instance)
  • In Security Group by default all the communication is closed, we write rules only to allow.
  • In NACL we can write deny and allow rules.
  • Securtity groups and network acls are created at vpc level.
  • When we create a vpc a default security group and a default nacl are created.
  • Default Security group:
    • Allow all traffic from security group is default incoming rule
    • allow all outgoing traffic to anywhere is default outgoing rule
  • Lets create a security group to open 80 port and 443 port for any one to connect (incoming). Open 22 port only to your client ip
  • Now lets create a ec2 instance in web subnet and assign this security group
  • Now lets login into ec2 instance and install apache server(80) and tomcat (8080)
sudo apt update
sudo apt install apache2 tomcat9 -y
  • Now access apache server
  • Now lets access tomcat server & it should fail bcoz no rule for 8080 is written in security group => deny 8080
  • Now lets try to ping the server
  • For the ping to work, you need to open icmp protocol access in the security group
  • Default NACL rule: Is to allow all incoming and outgoing traffic. This NACL is associated by defualt to all subnets in your vpc.
  • If we want to write custom nacl rules, then
    • NACL has both allow and deny rules
    • Every rule has rule # (rule no) which defines priority. Lower the rule number higher the priority
    • Rules are evaluated on priority, protocol, ip range and ports
  • To easily understand NACL & Sg refer below image

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%