Security Groups and Network ACLs
- When we create a security group and attach it to network interface, the default rules are deny everything
- In security group we write rules only to allow traffic
- We have create a simple vpc with one public subnet
- We have attached a security group with no rules (disable everything)
- Multiple security groups can be applied to network interface
- Consider using multiple security groups for reusing rules
-
Network ACLs operate around subnets.
- Default NACL will allow everything
- NACL will have ALLOW and Deny Rules and also priority
- When a new NACL is created everything is denied
- Each NACL Rule has
- rule number: Lower the number higher the priority
- Protocol: TCP/UDP/ICMP
- Port
- Source/Destination
- Allow/Deny
- Never write consecutive numbers in rules
- Always have a rule to allow internal traffic Refer Here
- Security Group and NACL will work together
Scenario
- We have to create a network with 2 public and 2 private subnets
- for public subnets we need an NACL
- which allows all internal comunication
- 22,80,443 from anywhere
- ICMP from anywhere
- rest of stuff denied
- for private subnets we need an NACL
- which allows all internal comunication
- rest of stuff denied
- Now create an ec2 instance in public subnet with security group to allow
- ssh
- http
- Now create an ec2 instance in private subnet with security group to allow
- all internal ping
- all internal communication
