Security Groups and Network ACLs
- Security groups and Network ACLs can filter the network traffic.
- Security group operates at network interface level, where as Network ACL operates at subnet level
-
Network ACL:
- when a vpc is create a default NACL will be created
- the default nacl rules allow all incoming and outgoing traffic.
-
Security Group:
- The default rule is deny all
- Depending on what we need to allow we create rules
Network ACL
- The following fields exist for every rule
- Rule number: lower the number higher the priority
- Protocol
- Port
- Source/Destination
- Allow/Deny
- whenever a packet is recieved the rules in inbound are evaluated in the order of priority
100 TCP 22 0.0.0.0/0 Deny
110 TCP 22 192.168.0.0/16 Allow
* * * * Deny
src: 3.4.5.6
dest: 192.168.0.39
http (tcp 80) => denied
ssh (tcp 22) => denied
src: 192.168.1.42
dest: 192.168.0.39
ssh denied
100 TCP 22 192.168.0.0/16 Allow
110 TCP 22 0.0.0.0/0 Deny
* * * * Deny
src: 3.4.5.6
dest: 192.168.0.39
http (tcp 80) => denied
ssh (tcp 22) => denied
src: 192.168.1.42
dest: 192.168.0.39
ssh Allowed
- whenever a packet is sent the rules in outbound are evaluated in the order of priority
-
Lets create a NACL which allows all communication within vpc and all external communication to anywhere. Allows only 22 and 80 port from anywhere
- To add subnets association to NACL we need to explicitly associate
- Create a vpc as shown below
- Ensure web subnet allows incoming
- within vpc on any traffic
- external sources for only 22, 80, 443
- Ensure db and app subnets allow incoming within vpc on any traffic no external communication is allowed
web
100 TCP 22 0.0.0.0/0 Allow
110 TCP 80 0.0.0.0/0 Allow
120 TCP 443 0.0.0.0/0 Allow
130 All traffic * 192.168.0.0/16 Allow
* All traffic * Deny
outbound
100 All traffic * 0.0.0.0/0 Allow
* All traffic * Deny
db & app => NACL
100 All traffic * 192.168.0.0/16 Allow
* All traffic * Deny
app
100 All traffic * 0.0.0.0/0 Allow
* All traffic * Deny
- Lets assume we have a rule which speaks about specific ip
- Rule IP (100.110.120.130/32)
Security Group
- We write only Allow rules
- To be continued in next session