Security Groups & Network ACLs

Clinton Ogechi - Aug 28 - - Dev Community

Security groups and Network ACLs are similar in that they allow you to control access to AWS resources within your VPC. Howerver, SGs allow you to control inbound and outbound traffic at the instance level, while NACLs offer similar capabilities at the VPC subnet level.

Aim

To provide a comprehensive, step-by-step guide understanding on how to configure and manage key components such as VPCs, subnets, internet gateways, route tables, security groups, and Network ACLs, ensuring a secure and scalable environment for deploying AWS resources.

Objective

  • Demonstrate the creation and configuration of a VPC and its associated components, including public and private subnets.
  • Illustrate the setup and association of Security Groups and Network ACLs to control inbound and outbound traffic at both the instance and subnet levels.
  • Guide readers through the process of launching and securely accessing an EC2 instance within the configured VPC environment.

Steps

1. Create a VPC

  1. Log in to the AWS Management Console.
  2. Navigate to the VPC Dashboard.
  3. Click on Your VPCs in the left-hand menu.
  4. Click on Create VPC.
  5. Enter the following details: Name tag: MyVpc IPv4 CIDR block: 10.0.0.0/16 IPv6 CIDR block: No IPv6 CIDR Block Tenancy: Default
  6. Click on Create VPC.

Image description

2. Create Subnets

  1. Create Public Subnet
  2. In the VPC Dashboard, click on Subnets.
  3. Click on Create subnet.
  4. Enter the following details: Name tag: PublicSubnet, VPC: Select MyVpc, Availability Zone: Choose one (e.g., af-south-1a ), IPv4 CIDR block: 10.0.1.0/24.
  5. Click on Create subnet.

Image description

Create Private Subnet

  1. In the VPC Dashboard, click on Subnets.
  2. Click on Create subnet again.
  3. Enter the following details: Name tag: PrivateSubnet VPC: Select MyVpc Availability Zone: Choose one (e.g., af-south-1b ) IPv4 CIDR block: 10.0.2.0/24
  4. Click on Create subnet.

Image description

3. Create an Internet Gateway

  1. Click on Create internet gateway.
  2. Enter the following details:Name tag: MyInternetGateway
  3. Click on Create internet gateway. Image description
  4. Select the newly created internet gateway, then click on*Actions* and select Attach to VPC.
  5. Choose MyVpc and click on Attach internet gateway. Image description

4. Create Route Tables

Create Public Route Table

  1. In the VPC Dashboard, click on Route Tables.
  2. Click on Create route table.
  3. Enter the following details: Name tag: PublicRouteTable VPC: Select MyVpc
  4. Click on Create route table. Image description
  5. Select the newly created route table, click on Routes, then click on Edit routes.
  6. Add the following route: Destination: 0.0.0.0/0 Target: Select Internet Gateway and then select MyInternetGateway
  7. Click on Save routes. Image description
  8. Click on the Subnet associations tab, then click on Edit subnet associations.
  9. Select PublicSubnet and click on Save associations. Image description

Create Private Route Table

  1. Click on Create route table again.
  2. Enter the following details: Name tag: PrivateRouteTable VPC: Select MyVpc
  3. Click on Create route table. Image description
  4. No need to add routes for the private route table at this point unless you have a specific setup (e.g., NAT Gateway for internet access)
  5. Click on the Subnet associations tab, then click on Edit subnet associations. Select PrivateSubnet and click on Save associations. Image description

5. Create Security Groups

Create Public Security Group

  1. In the EC2 Dashboard, click on Security Groups.
  2. Click on Create security group.
  3. Enter the following details: Name tag: PublicSG Description: Security group for public instances VPC: Select MyVpc
  4. Add Inbound Rules: Type: SSH Protocol: TCP Port Range: 22 Source: 0.0.0.0/0 (Allow access from anywhere)
  5. Add Outbound Rules: The default outbound rule allows all traffic.
  6. Click on Create security group

Image description

Image description

6. Create Network ACLs

Create Public Network ACL

  1. In the VPC Dashboard, click on Network ACLs.
  2. Click on Create network ACL.
  3. Enter the following details: Name tag: PublicNACL VPC: Select MyVpc
  4. Click on Create network ACL.
  5. Add Inbound Rules: Rule #: 100 Type: SSH Protocol: TCP Port Range: 22 Source: 0.0.0.0/0 (Allow access from anywhere)
  6. Add Outbound Rules: Rule #: 101 Type: Custom TCP Protocol: TCP Port Range: 1024-65535 Destination: 0.0.0.0/0

Image description

Image description

Associate with Subnet:

  1. Select the Subnet: Choose the public subnet to associate with this NACL.
  2. Click on Save.

Create Private Network ACL

  1. In the VPC Dashboard, click on Network ACLs.
  2. Click on Create network ACL.
  3. Enter the following details: Name tag: PrivateNACL VPC: Select MyVpc
  4. Click on Create network ACL.
  5. Add Inbound Rules:

Rule #: 100
Type: SSH
Protocol: TCP
Port Range: 22
Source: 0.0.0.0/0 (Allow access from anywhere)

Rule #: 101
Type: Custom TCP
Protocol: TCP
Port Range: 1024-65535
Source: 0.0.0.0/0 (Allow access from anywhere)

Image description

Image description

Associate with Subnet:

  1. Select the Subnet: Choose the private subnet to associate with this NACL.
  2. Click on Save.

7. Create Ec2 Instance

  1. Click on Launch Instance.
  2. Enter the following details: Name: PublicServer AMI: Choose an Amazon Linux 2 AMI (HVM), SSD Volume Type Instance Type: t2.micro (or another type as needed) Key Pair: Select an existing key pair or create a new one Network: Select MyVpc Subnet: Select PublicSubnet Auto-assign Public IP: Enable Security Group: Select PublicSG
  3. Click on Launch Instance

8. Connect to an EC2 Instance Using EC2 Instance Connect

  1. Navigate to the EC2 Dashboard.
  2. Select the PublicServer Instance.
  3. Click on Connect at the top of the page.
  4. Choose EC2 Instance Connect as the connection method.
  5. Click on Connect to open the terminal.

Image description

Conclusion

Security Groups (SGs) and Network ACLs (NACLs) are essential for controlling access to AWS resources within a VPC. SGs manage traffic at the instance level with stateful filtering, while NACLs provide stateless filtering at the subnet level. Together, they offer a robust security framework, ensuring both individual instance protection and broader network security within your VPC. This layered approach enhances the overall security and resilience of your AWS environment.

Image
How to Use the `ImmutableArray<T>.Builder` Extension Method `ToFrozenDictionary` to Create Efficient Immutable Dictionaries

dotnet
Image
Techniques for Optimizing Performance in React Applications

webdev, react, performance, beginners
Image
Inline Functions in C and C++

c, cpp
Image
Sistemas Numéricos para Computeiros 🔢
Image
Roadmap of Docker and Kubernetes 2024

docker, kubernetes, cloud, cicd
Image
30 Day SOC Challenge- Day 2 & 3 : ELK Stack / Elastic Search

elasticsearch, kibana, socanalyst
Image
I was wrong about array methods and generators...

javascript, performance, computerscience, datascience
Image
Trusted bitcoin investment sites

bitcoin, investment, cryptocurrency, beginners
Image
Building Single Page Applications with Svelte

webdev, javascript, beginners, programming
Image
Topic : Error Handling & Debugging in Node.js 🔧🐛
Image
The Benchmarking Puzzle

webdev, softwareengineering
Image
System Design - Uma introdução

systemdesign, distributedsystems, softwareengineering, braziliandevs
Image
TAYNOSTOKEN

tayto, taynostoken, alkabaltoken, jasminleroy
Image
Improving the conversion rate 💰

webdev, buildinpublic
Image
Frontend Challenge: Space Edition (Rocket Emoji CSS)

frontendchallenge, devchallenge, css
Image
Discover Top-Tier Junk Car Removal with Junk Car Removal Mississauga

webdev, beginners, productivity, discuss
Image
How to make Multi-tenant applications with NestJS and Prisma 🚀.

node, prisma, nestjs, typescript
Image
Innovative Strategies for Conversational AI Development Using JavaScript

ai, chatgpt, voicebot, voiceui
Image
Resilience Strategies for Microservices

microservices, architecture, softwaredevelopment, softwareengineering
. . . . . . . . . . . . . .
Terabox Video Player