AWS Classroom Series – 28/Mar/2021

Security Groups and Network ACLs

  • A Security Group acts as a virtual firewall for the ec2 instance to control inbound and outbound traffic
  • A Network access List (ACL) is an option layer of security for the vpc that acts as a firewall controlling traffic in and out of one or more subnets
  • The basic workflow of security group and NACL are as shown below
  • In AWS when we create a vpc
    • a default nacl is created which has rules to allow all incoming and outgoing traffic
  • Network ACL Rules have the following parts
    • Rule Number:
      • This defines the priority. Lower the rule number higher the priority
    • Type
      • You can specify traffic or custom ranges
    • Protocol: TCP/UDP/ICMP
    • Port range:
    • Source
    • Destination
    • Allow/Deny
  • Examples
  • The NACLs which we create have to be associated with the subnets explicitly
  • One default Security Group is also created when we create vpc
  • IN NACL we write allow/deny rules whereas in security group we write only allow rules (if you dont write a rule it will be denied)

Scenario

  • Create a vpc with 2 subnets
    • web
    • app
  • Create two ec2 instances one in web(give public ip) and other in app (no public ip)
  • create a security group for ec2 instance in web subnet which
    • allows 22 port from anywhere
    • allows 80 port from anywhere
    • ping from anywhere
  • Create a security group for ec2 instance in app subnet which
    • allows 8080 port from web subnet
  • Create a nacl which allows all the communication within vpc and allows 22 and 80 port communication from any where and assign this to both subnets
  • Now create an ec2 instance in the subnet 1 with websecurity group
  • Try the similar stuff for app server and then check connectivity

Ephemeral ports

  • In AWS when we create NACL rules its important that we enable communication b/w port 1024-65535 with in vpc for the vpc to work
    • Linux kernels with in n/w use 32768-61000
    • Load balancing 1024-65535
    • NAT Gateway uses 1024-65535
  • So ensure you have a nacl rule which allows communication on these ports in the vpc cidr range.

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%