Network ACLs & Security Group

  • A Network ACLs (NACLs) is an optional layer of security for the VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
  • It is at a Subnet level and has separate inbound and outbound rules, and each rule can either allow or deny traffic.
  • Default ACL allows all inbound and outbound traffic.
  • It is Stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa.
  • NaCl is a great way of blocking a specific IP at the subnet level.
  • Define NACL rules
  1. Rules have a number (1–32766) and higher precedence with a lower number.
  2. E.g. If you define #100 ALLOW and #200 DENY, IP will be allowed.
  3. The last rule is an asterisk (*) and denies a request in case of no rule match • AWS recommends adding rules by the increment of 10.
  4. Newly created ACL denies all inbound and outbound traffic.
  5. E.g. if you enable Inbound SSH on port 22 from the specific IP address, you would need to add an Outbound rule for the response as well.
  • Acts at an Instance level and not at the subnet level.
  • Specifying only Allow rules, but not deny rules.
  • It is Stateful — responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa.
  • Allows adding or removing rules (authorizing or revoking access) for both Inbound (ingress) and Outbound (egress) traffic to the instance.
  • Default Security Group allows no external inbound traffic but allows inbound traffic from instances with the same security group.
  • Default Security Group allows all outbound traffic
  • Rules with the most permissive rule taking precedence for e.g. if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1 and another rule that allows access to TCP port 22 from 0.0.0.0, everyone has access to TCP port 22.

Network ACLs & Security Group Incoming Request example

Network ACLs & Security Group Outgoing Request

--

--

--

DevOps Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

LambSwap Platform — IDO Details and Guide, January 20th, 2022 — 10:00 UTC

Allow User to Retrieve Details from Facebook using the OAuth 2.0

Ukraine Reports Massive Cyber Attack On Government Websites

Ukraine Reports Massive Cyber Attack On Government Websites

@OtIhersideMeta The second wave is coming!

C.R.E.A.M. Swap v2

Play Fair Cipher Encryption Using Python3

How to battle the growing threat of ransomware

[Announcement] Efforts to prevent damages from miss-sent digital asset deposit

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bikram

Bikram

DevOps Engineer

More from Medium

Storage Drivers in Docker

Cyver Pentest: Boost Time to Fix Rates with Smarter Pentest Deliverables — Cyver

How to Install the Apache Web Server on CentOS8

Floodlight installation guide