AWS Classroomnotes 10/Feb/2023

Security Groups and Network ACLs

  • Security groups and Network ACLs can filter the network traffic.
  • Security group operates at network interface level, where as Network ACL operates at subnet level
    Preview
  • Network ACL:

    • when a vpc is create a default NACL will be created
    • the default nacl rules allow all incoming and outgoing traffic.
  • Security Group:

    • The default rule is deny all
    • Depending on what we need to allow we create rules

Network ACL

  • The following fields exist for every rule
    • Rule number: lower the number higher the priority
    • Protocol
    • Port
    • Source/Destination
    • Allow/Deny
  • whenever a packet is recieved the rules in inbound are evaluated in the order of priority

100  TCP  22  0.0.0.0/0  Deny
110  TCP  22  192.168.0.0/16  Allow
*     *    *       *        Deny



src: 3.4.5.6
dest: 192.168.0.39

http (tcp 80) => denied
ssh (tcp 22)  => denied

src: 192.168.1.42
dest: 192.168.0.39

ssh  denied



100  TCP  22  192.168.0.0/16  Allow
110  TCP  22  0.0.0.0/0  Deny
*     *    *       *        Deny



src: 3.4.5.6
dest: 192.168.0.39

http (tcp 80) => denied
ssh (tcp 22)  => denied

src: 192.168.1.42
dest: 192.168.0.39

ssh  Allowed
  • whenever a packet is sent the rules in outbound are evaluated in the order of priority
  • Lets create a NACL which allows all communication within vpc and all external communication to anywhere. Allows only 22 and 80 port from anywhere
    Preview
    Preview
    Preview
  • To add subnets association to NACL we need to explicitly associate
    Preview
  • Create a vpc as shown below
    Preview
  • Ensure web subnet allows incoming
    • within vpc on any traffic
    • external sources for only 22, 80, 443
  • Ensure db and app subnets allow incoming within vpc on any traffic no external communication is allowed
web 

100  TCP  22  0.0.0.0/0  Allow
110  TCP  80  0.0.0.0/0  Allow
120  TCP  443  0.0.0.0/0  Allow
130  All traffic  *  192.168.0.0/16  Allow
*    All traffic *      Deny

outbound

100  All traffic  *  0.0.0.0/0  Allow
*    All traffic *      Deny


db & app => NACL

100  All traffic  *  192.168.0.0/16  Allow
*    All traffic *      Deny

app
100  All traffic  *  0.0.0.0/0  Allow
*    All traffic *      Deny
  • Lets assume we have a rule which speaks about specific ip
    • Rule IP (100.110.120.130/32)

Security Group

  • We write only Allow rules
  • To be continued in next session

Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube