AWS Networking
- We have two layers of security one around subnet and one around network interface (eni)
- Network ACL around subnets:
- Supports allow and deny rules
- priority is maintained in a list of rules where both allow and deny are the valid actions
- lower the number higher the priority
- AWS creates a default network ACL with every vpc which is attached to all subnets with rules
- allow everything in
- allow everything out
- Network ACL identifies the
- incoming packet by
- source ip range (CIDR)
- protocol:
- TCP
- UDP
- ICMP
- port
- outgoing packet by
- destination ip range (CIDR)
- protocol:
- TCP
- UDP
- ICMP
- port
- never write consecutive rules leave some number for adding rules in the future
- incoming packet by
- security groups around network interfaces
- Supports only allow rules
- Identifies incoming packet by
- source ip range (CIDR)
- protocol:
- TCP
- UDP
- ICMP
- port
- Identifies outgoing packet by (Not recommended to set outgoing rules in security group)
- destination ip range (CIDR)
- protocol:
- TCP
- UDP
- ICMP
- port
- Network ACL around subnets:
Create a network acl, security group and perform checks
- Create a NACL Which allows all internal communications but only 80,22 port from outside and attach it to all subnets
- create a security group which allows all communication
- create an ec2 instance in web subnet of the vpc with the above security group:
- install nginx (tcp/80)
- create an ec2 instance in app subnet of the vpc with the above security group
- setup spring petclinic (tcp/8080)
Azure Networking
- Azure supports one network security group which supports allow and deny rules that can be applied at two layer
- network interface (vm)
- subnet
