VPC Security Groups
- assigned at the component level
- Each Network Interface has 5 security groups by default
- 60 inbound or outbound per security group - total of 120 rules [60 inbound, 60 outbound]
- Limited to 2500 security groups per VPC
By default, all inbound traffic on all ports is denied when you create a security group.
You can only configure allow rules within a security group.
Scenario below, Allow 2 EC2 instances communicate with each other using security groups
Network Access Control Lists - NACL
- Apply within the context of a VPC - it's exists in single VPC, it doesn't span multiple VPCs.
- Apply to one-to-manny subnets - one NACL can apply to many subnets, but within each subnet it should have only one NACL.
-should specify allow or deny traffic
For the above scenario, if NACL is in place, it allows only 80 and 43 to access MySQL, whereas it will deny for 3306.
The public subnet contains a NAT gateway so the private subnet can get to the internet.
Now, we configure a NACL that will lock down the private subnet.
Once implemented, only SSH and ICMP traffic originating from the public subnet will be able to get into the private subnet.
In addition, all traffic originating from the private subnet will be dropped.
Example Demo:
VPC Flow Logs
To create flow logs,
fr
- assigned at the component level
- Each Network Interface has 5 security groups by default
- 60 inbound or outbound per security group - total of 120 rules [60 inbound, 60 outbound]
- Limited to 2500 security groups per VPC
By default, all inbound traffic on all ports is denied when you create a security group.
You can only configure allow rules within a security group.
Scenario below, Allow 2 EC2 instances communicate with each other using security groups
- Apply within the context of a VPC - it's exists in single VPC, it doesn't span multiple VPCs.
- Apply to one-to-manny subnets - one NACL can apply to many subnets, but within each subnet it should have only one NACL.
-should specify allow or deny traffic
For the above scenario, if NACL is in place, it allows only 80 and 43 to access MySQL, whereas it will deny for 3306.
The public subnet contains a NAT gateway so the private subnet can get to the internet.
Now, we configure a NACL that will lock down the private subnet.
Once implemented, only SSH and ICMP traffic originating from the public subnet will be able to get into the private subnet.
In addition, all traffic originating from the private subnet will be dropped.
Example Demo:
VPC Flow Logs
To create flow logs,
- Create CloudWatch log group
- Create flow log
- Create IAM policy
fr
No comments:
Post a Comment