AWS Classroomnotes 10/Feb/2023

Security Groups and Network ACLs

  • Security groups and Network ACLs can filter the network traffic.
  • Security group operates at network interface level, where as Network ACL operates at subnet level
    Preview
  • Network ACL:

    • when a vpc is create a default NACL will be created
    • the default nacl rules allow all incoming and outgoing traffic.
  • Security Group:

    • The default rule is deny all
    • Depending on what we need to allow we create rules

Network ACL

  • The following fields exist for every rule
    • Rule number: lower the number higher the priority
    • Protocol
    • Port
    • Source/Destination
    • Allow/Deny
  • whenever a packet is recieved the rules in inbound are evaluated in the order of priority

100  TCP  22  0.0.0.0/0  Deny
110  TCP  22  192.168.0.0/16  Allow
*     *    *       *        Deny



src: 3.4.5.6
dest: 192.168.0.39

http (tcp 80) => denied
ssh (tcp 22)  => denied

src: 192.168.1.42
dest: 192.168.0.39

ssh  denied



100  TCP  22  192.168.0.0/16  Allow
110  TCP  22  0.0.0.0/0  Deny
*     *    *       *        Deny



src: 3.4.5.6
dest: 192.168.0.39

http (tcp 80) => denied
ssh (tcp 22)  => denied

src: 192.168.1.42
dest: 192.168.0.39

ssh  Allowed
  • whenever a packet is sent the rules in outbound are evaluated in the order of priority
  • Lets create a NACL which allows all communication within vpc and all external communication to anywhere. Allows only 22 and 80 port from anywhere
    Preview
    Preview
    Preview
  • To add subnets association to NACL we need to explicitly associate
    Preview
  • Create a vpc as shown below
    Preview
  • Ensure web subnet allows incoming
    • within vpc on any traffic
    • external sources for only 22, 80, 443
  • Ensure db and app subnets allow incoming within vpc on any traffic no external communication is allowed
web 

100  TCP  22  0.0.0.0/0  Allow
110  TCP  80  0.0.0.0/0  Allow
120  TCP  443  0.0.0.0/0  Allow
130  All traffic  *  192.168.0.0/16  Allow
*    All traffic *      Deny

outbound

100  All traffic  *  0.0.0.0/0  Allow
*    All traffic *      Deny


db & app => NACL

100  All traffic  *  192.168.0.0/16  Allow
*    All traffic *      Deny

app
100  All traffic  *  0.0.0.0/0  Allow
*    All traffic *      Deny
  • Lets assume we have a rule which speaks about specific ip
    • Rule IP (100.110.120.130/32)

Security Group

  • We write only Allow rules
  • To be continued in next session

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner