AWS CSA
  • Introduction
  • 1. AWS Overview
    • 1.1 AWS global Infrastructure
    • 1.2 Networking and Content Delivery
    • 1.3 Computing
    • 1.4 Storage
    • 1.5 Databases
    • 1.6 Migration Services
    • 1.7 Analytics
    • 1.8 Security and Identity
    • 1.9 Management Tools
    • 1.10 Application Services
    • 1.11 Developer Tools
    • 1.12 Mobile Services
    • 1.13 Desktop and App Streaming
    • 1.14 Artificial Intelligence
    • 1.15 Messaging
  • 2. IAM - Identity Access Management
    • 2.1 IAM Introduction
    • 2.2 IAM Labs
    • 2.3 Create a billing alart
    • 2.4 IAM Conclusion
  • 3. S3 - Simple Storage Service
    • 3.1 S3 Introduction
    • 3.2 S3 Labs
    • 3.3 Version Control Labs
    • 3.4 Cross Region Replication
    • 3.5 Life Cycle Management
    • 3.6 CloudFront
    • 3.7 CloudFront Labs
    • 3.8 S3 Security and Encryption
    • 3.9 Storage Gateway
    • 3.10 Snowball
    • 3.11 Snowball Labs
    • 3.12 S3 Transfer Acceleration
    • 3.13 Create a static web page using S3
    • 3.14 Storage Summary
  • 4. EC2 - Elastic Compute Cloud
    • 4.1 EC2 Introduction I
    • 4.2 EC2 Introduction II
    • 4.3 EC2 Lab 1
    • 4.4 EC2 Lab 2
    • 4.5 Security Groups Lab
    • 4.6 Upgrade EBS Volume Types - Lab1
    • 4.7 Upgrade EBS Volume Types - Lab2
    • 4.8 RAID, Volumes & Snapshots
    • 4.9 Create An AMI - Lab
    • 4.10 AMI's EBS Root Volumes vs. Instance Store
    • 4.11 Elastic Load Balancer & Health Check - Lab
    • 4.12 CloudWatch EC2 - Lab
    • 4.13 The AWS Command Line & EC2
    • 4.14 Using IAM Roles with EC2
    • 4.15 S3 CLI & Regions
    • 4.16 Using Bootstrap Scripts
    • 4.17 EC2 Instance Metadata
    • 4.18 Launch Configurations & Auto Scaling Groups
    • 4.19 EC2 Placement Groups - Exam Must Know
    • 4.20 Elastic File System (EFS) Lab
    • 4.21 Lambda Concepts
    • 4.22 Build A Serverless Webpage Using API Gateway & Lambda
    • 4.23 Use Polly to Pass Your Exam - Lab of a Serverless Application
    • 4.24 Use Polly to Pass Your Exam - Lab of a Serverless Application
    • 4.25 EC2 - Summary & Exam Tips
  • 5. Route53
    • 5.1 DNS 101
    • 5.2 Route53 - Register A Domain Name - Lab
    • 5.3 Setup Our EC2 Instances - Lab
    • 5.4 Routing Policies - Lab
  • 6. Databases on AWS
    • 6.1 Databases 101
    • 6.2 Launching an RDS Instance - Lab
    • 6.3 RDS - Backups, Multi-AZ & Read Replicas
    • 6.4 DynamoDB
    • 6.5 Redshift
    • 6.6 ElastiCache
    • 6.7 Aurora
    • 6.8 Database Summary
  • 7. VPC
    • 7.1 VPC Overview
    • 7.2 VPC Lab - Part 1
    • 7.3 VPC Lab - Part 2
    • 7.4 NAT Instances & NAT Gateways
    • 7.5 Network Access Control Lists vs. Security Groups
    • 7.6 Load Balancers & Custom VPCs
    • 7.7 VPC Flow Logs
    • 7.8 NATs vs. Bastions
    • 7.9 VPC End Points
    • 7.10 VPC Clean Up
    • 7.11 VPC Summary
  • 8. Application Services
    • 8.1 SQS - Simple Queue Service
    • 8.2 SWF - Simple Workflow Service
    • 8.3 SNS - Simple Notification Service
    • 8.4 Elastic Transcoder
    • 8.5 API Gateway
    • 8.6 Kinesis 101
    • 8.7 Kinesis Streams Lab
    • 8.8 Application Services Summary
  • 9. White Paper Reviews
    • 9.1 Overview of AWS
    • 9.2 Overview of Security Processes - Part 1
    • 9.3 Overview of Security Processes - Part 2
    • 9.4 Risk & Compliance Whitepaper
    • 9.5 Storage Options in the Cloud Whitepaper
    • 9.6 Architecting For The Cloud Best Practices Whitepaper
  • 10. Well Architected Framework
    • 10.1 Introduction of Well Architected Framework
    • 10.2 Pillar One - Security
    • 10.3 Pillar Two - Reliability
    • 10.4 Pillar Three - Performance
    • 10.5 Pillar Four - Cost Optimization
    • 10.6 Pillar Five - Operational Excellence
    • 10.7 Well Architected Framework - Summary
  • 11. Additional Exam Tips
    • 11.1 Exam Tips Based On Student Feedback
    • 11.2 Consolidated Billing
    • 11.3 AWS Organizations - Lab
    • 11.4 Cross Accounts Access
    • 11.5 Resource Groups & Tagging
    • 11.6 VPC Peering & ClassicLink
    • 11.7 Direct Connect
    • 11.8 Security Token Service
    • 11.9 Active Directory Integration
    • 11.10 Workspaces
    • 11.11 ECS - Part 1 - What is Docker
    • 11.12 ECS - Part 2 - What is ECS
    • 11.13 CloudFormation - A Brief Introduction
    • 11.14 Step Functions - A Brief Introduction
  • 12. Practice Tests Questions Summary
    • 12.1 Whizlabs - Free Test
    • 12.2 Whizlabs - Diagnosis Test
    • 12.3 Whizlabs - Practice Test I
    • 12.4 Whizlabs - Practice Test II
    • 12.5 Whizlabs - Practice Test III
    • 12.6 Whizlabs - Practice Test IV
    • 12.7 Whizlabs - Practice Test V
    • 12.8 Whizlabs - Practice Test VI
    • 12.9 Whizlabs - Practice Test VII
    • 12.10 Whizlabs - Section Tests - Part 1
    • 12.11 Whizlabs - Section Tests - Part 2
    • 12.12 Udemy - Final Quiz
  • 13. The Real World - Creating a fault tolerant Word Press Site
    • 13.1 Getting Setup
Powered by GitBook
On this page
  • Terms:
  • Steps:
  • Exam Tips:
  • My Comments

Was this helpful?

  1. 7. VPC

7.5 Network Access Control Lists vs. Security Groups

Previous7.4 NAT Instances & NAT GatewaysNext7.6 Load Balancers & Custom VPCs

Last updated 5 years ago

Was this helpful?

Recap what we have now:

We have got an instance in a private subnet and an instance in a public subnet. We have deployed our NAT Gateway. We got two different security group one is to protect my private instance the other one is to protect my public instance. We only have one network ACL and this was created by default when we first provisioned our customized VPC. Basically, it allows all traffic in and out by default, and that is why we can go ahead and access this. Our public subnet and our private subnet are actually associated to this Network ACL. You can only associate a subnet to one network ACL. Go ahead and see our Network ACL in details.

Terms:

Network Access Control Lists == Network ACL == NACL

Your Customized VPC == The VPC you created in 7.2 lab.

Steps:

  • Go to VPC dashboard. Go to Network ACLs. Select the Network ACL of your customized VPC, and you can see the configurations in the Inbound rules tab, Outbound rules tab and Subnet Associations tab.

  • Click Create Network ACL. Name tag: MyWebNACL. VPC: your VPC. NACL can only be deployed into one VPC. They cannot span VPCs. Click Yes, Create.

  • For this newly created NACL, MyWebNACL, the Inbound rule is deny everything and the Outbound rule is also deny everything. It means by default, you create a private NACL.

  • Select MyWebNACL, and add rules of SSH, HTTP, HTTPS with source 0.0.0.0/0 to the Inbound rules. When you go to Outbound rules, you see it still deny automatically, this is because our network access control list is stateless. Unlike security groups, with security groups, when we go in and provision a rule, that is going to allow both inbound and outbound automatically. With NACL, you have to do it both. For the outbound rules, you add HTTP, HTTPS, and Custom TCP Rule (with ephemeral ports: 1024-65535) and all with destination 0.0.0.0/0. Using the ephemeral ports, let's say I'm trying to do a HTTP request to my web server through port 80 of the web server, but the information it is going to be transmitted back to me on a random port. Search "Ephemeral Ports VPC" on Google and learn more. For now, your NACL MyWebNACL is already, so go to associate subnets to it.

  • We want to associate our public subnet to MyWebNACL. But a subnet can only be associated to one NACL (just like one NACL can only be associated to one VPC). So when you associate the public subnet to MyWebNACL, it is automatically no longer associated with the default NACL of your customized VPC.

  • The inbound/outbound rules with smaller "rule #" of a NACL will have higher power than the rules with larger rule number. Therefore, for same "Type of rule", same "Protocol", same "Port Range" and same "Source/Destination", the actual result of allow/deny will depend on the allow/deny of the rule with the lowest rule number (Rules are evaluated starting with the lowest numbered rule). As soon as a rule matches traffic, it's applied immediately regardless of any higher-numbered rule that may contradict it.

  • With NACL, you can block the visit from a specific range of source IP through configure the inbound rules.

  • The NACL is more outside than Security group, so NACL access before security groups. So if you block inbound traffic at port 80 in NACL, even if you allow port 80 in security group, the NACL will block you first, so the security group doesn't even get to see this traffic, because NACL has already take care of it.

Exam Tips:

  • By default, when you add, remove or change Security Group rules, it will be applied in all instances which are associated with this Security Group immediately.

  • Your VPC automatically comes with a Default Network ACL, and by default it allows all outbound and inbound traffic.

  • You can create Custom Network ACLs. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.

  • Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

  • You can associate a network ACL with multiple subnets; however, a subnet can be associate with only one network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed.

  • Network ACL can span AZs, but obviously, subnets cannot. Each AZ can have multiple subnets, but each subnet can only map to one AZ.

  • Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that may contradict it.

  • Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.

  • Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). However, with Security Groups, I could just open port 80 and then that's it. There is no way to use a security group to block a specific IP address.

  • On your Network ACLs, do remember to allow ephemeral ports on your outbound rules only.

  • Blocking IP addresses uses Network ACLs, not Security Groups. Because inbound rules of SG tell you which addresses traffic are allowed, it is not make much sense of "blocking". You can also use firewalls to filter on source ports, but SG let your filter only on destination ports. In short, block the undesired traffic as early as possible regardless it is inbound or outbound.

My Comments

  • Subnet is associated with NACL and Route Table, so NACL provides a subnet level traffic/access control. NACL is stateless.

  • Security Group is associated with EC2 instances, so SG provides an instance level traffic/access control. SG is stateful.

  • Security Group could be used as a whitelist, NACL could be used as a blacklist.

  • Some configurations:

    • Newly created customized Route Table doesn't have a route to outside Internet, i.e. 0.0.0.0/0->IGW, and only has a route within the VPC, i.e. 10.0.0.0/16->Local.

    • Newly created customized SG doesn't have any inbound rule, but has all traffic outbound rule.

    • Newly created customized NACL has a deny all traffic inbound rule and a deny all traffic outbound rule.