Scribd
Upload
18 views10 pages

Section 4: VPC Security: Module 5: Networking and Content Delivery

The document discusses VPC security in AWS, focusing on security groups and network access control lists (ACLs). Security groups operate at the instance level and are stateful, while network ACLs function at the subnet level and are stateless, allowing both allow and deny rules. Key takeaways include the importance of isolating subnets, selecting appropriate gateway devices, and utilizing firewalls for enhanced security.

Uploaded by

manaspanda6032004
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views10 pages

Section 4: VPC Security: Module 5: Networking and Content Delivery

The document discusses VPC security in AWS, focusing on security groups and network access control lists (ACLs). Security groups operate at the instance level and are stateful, while network ACLs function at the subnet level and are stateless, allowing both allow and deny rules. Key takeaways include the importance of isolating subnets, selecting appropriate gateway devices, and utilizing firewalls for enhanced security.

Uploaded by

manaspanda6032004
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Module 5: Networking and Content Delivery

Section 4: VPC security

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights


reserved.
Security groups
AWS Cloud

Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.1.0/24

Security group

Security groups act at


Private subnet: 10.0.2.0/24
the instance level.
Security group

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights


2
reserved.
Security groups
• Security groups have rules that control inbound and outbound instance
traffic.
• Default security groups deny all inbound traffic and allow all outbound
traffic.
• Security groups are stateful. Inbound
Source Protocol Port Range Description
sg-xxxxxxxx All All Allow inbound traffic from network interfaces assigned to the
same security group.

Outbound
Destination Protocol Port Range Description
0.0.0.0/0 All All Allow all outbound IPv4 traffic.
::/0 All All Allow all outbound IPv6 traffic.

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights


3
reserved.
Custom security group examples
• You can specify allow rules, but not deny rules.
• All rules are evaluated before the decision to allow traffic.
Inbound
Source Protocol Port Range Description
0.0.0.0/0 TCP 80 Allow inbound HTTP access from all IPv4 addresses
0.0.0.0/0 TCP 443 Allow inbound HTTPS access from all IPv4 addresses
Your network's public TCP 22 Allow inbound SSH access to Linux instances from IPv4 IP
IPv4 address range addresses in your network (over the internet gateway)

Outbound
Destination Protocol Port Range Description
The ID of the security group for TCP 1433 Allow outbound Microsoft SQL Server access to
your Microsoft SQL Server instances in the specified security group
database servers
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights
4
reserved.
Network access control lists (network
ACLs)
AWS Cloud

Region
Availability Zone
VPC: 10.0.0.0/16
Public subnet:10.0.0.0/24

Network ACLs act at


Private subnet: 10.0.4.0/22 the subnet level.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights


5
reserved.
Network access control lists (network
ACLs)
• A network ACL has separate inbound and outbound rules, and each rule
can
either allow or deny traffic.
• Default network ACLs allow all inbound and outbound IPv4 traffic.
• Network ACLs are stateless.
Inbound
Rule Type Protocol Port Range Source Allow/Deny
100 All IPv4 traffic All All 0.0.0.0/0 ALLOW
* All IPv4 traffic All All 0.0.0.0/0 DENY

Outbound
Rule Type Protocol Port Range Destination Allow/Deny
100 All IPv4 traffic All All 0.0.0.0/0 ALLOW
* All IPv4 traffic All All 0.0.0.0/0 DENY
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights
6
reserved.
Custom network ACLs examples

• Custom network ACLs deny all inbound and outbound traffic until you add
rules.
• You can specify both allow and deny rules.
• Rules are evaluated in number order, starting with the lowest number.
Inbound
Rule Type Protocol Port Range Source Allow/Deny
100 HTTPS TCP 443 0.0.0.0/0 ALLOW
120 SSH TCP 22 192.0.2.0/24 ALLOW
* All IPv4 traffic All All 0.0.0.0/0 DENY
Outbound
Rule Type Protocol Port Range Destination Allow/Deny
100 HTTPS TCP 443 0.0.0.0/0 ALLOW
120 SSH TCP 22 192.0.2.0/24 ALLOW
* All IPv4 traffic All All 0.0.0.0/0 DENY
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights
7
reserved.
Security groups versus network ACLs

Attribute Security Groups Network ACLs

Scope Instance level Subnet level

Supported Rules Allow rules only Allow and deny rules

Stateful (return traffic is automatically Stateless (return traffic must be explicitly


State
allowed, regardless of rules) allowed by rules)
All rules are evaluated before Rules are evaluated in number order
Order of Rules
decision to allow traffic before decision to allow traffic

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights


8
reserved.
Activity: Design a VPC

Scenario: You have a small business with a website that is hosted on an Amazon
Elastic Compute Cloud (Amazon EC2) instance. You have customer data that is
stored on a backend database that you want to keep private. You want to use
Amazon VPC to set up a VPC that meets the following requirements:
• Your web server and database server must be in separate subnets.
• The first address of your network must be 10.0.0.0. Each subnet must have 256
total IPv4 addresses.
• Your customers must always be able to access your web server.
• Your database server must be able to access the internet to make patch
updates.
• Your architecture must be highly available and use at least one custom firewall
layer.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
9
reserved.
• Build security into your VPC
Section 4 key architecture:
takeaways • Isolate subnets if possible.
• Choose the appropriate gateway
device or VPN connection for your
needs.
• Use firewalls.
• Security groups and network
ACLs are firewall options that you
can use to secure your VPC.

10 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

You might also like