VPCs can be protected with 2 layers of firewalls; One for a subnet (NACL) and another for an instance (Security Group).
Network Access Control List (NACL)
Features
- NACL controls the traffic across the boundary of subnets.
- Any traffic inside subnet is not affected by NACL.
- A NACL can be attached to many subnets.
- A subnet can be associated with only 1 NACL.
- NACL operates at Layer 4 (Transport – TCP/UDP) – Stateless (state is a session-layer concept).
- For a given inbound rules, the corresponding outbound rules should be allowed.
- A subnet must be associated with a NACL, which only impacts traffic crossing the boundary of a subnet.
- NACL is a collection of rules that can explicitly allow or deny traffic based on its protocol, port range, and source/destination.
- Rules are processed in numbered order, lowest first.
- You can only reference CIDR range.
- When a match is found, the processing stops. The “*” rule is processed last.
- The default is an implicit deny. (catch-all deny)
- NACL has two sets of rules:
- Inbound: From outside of a subnet to inside
- Outbound: From inside of a subnet to outside
- In general, you need to use NACL (not security groups) to block specific IP addresses.
Default NACL
- A default VPC has a default NACL, which allows all inbound and outbound traffics.
Custom NACL
- Custom network ACL denies all inbound and outbound traffics.
- Custom NACL does not have Rule #100 that allows all traffic.
Ephemeral Ports
- When a client initiates communication with a server, it uses the well-known port numbers, but the response might use the different (ephemeral) port on the client.
- Port range: 1024-65535
- NACL outbound rules should allow this.
Security Groups
A Security Group is a virtual (software) firewall that can be attached to ENI (Elastic Network Interfaces) – EC2, RDS, Lambda in VPC, etc.
Features
- Each group has inbound rules and outbound rules.
- A security group has a hidden (implicit/default) Deny rule.
- A security group can reference by CIDR and security group id.
- Only allow rules can be specified, and it cannot explicitly deny traffic.
- You cannot block specific IPs using security group.
- Security groups are Stateful, which means that for any allowed traffic, the return traffic is automatically enabled. (OSI Layer 5 – Session)
- Security group can be shared across two VPCs in the same region.
- Changes to security groups take effect immediately.
- You can attach multiple security groups to an EC2 instance.
- Each ENI is allowed up to 5 security groups.
- You can have any number of EC2 instances within a security group.
Default Security Group
- A default VPC creates a default security group.
- It disallows all inbound traffic except from the same security group.
- Allows all traffic between instances in the same security group
- It allows all outbound traffic.
- It disallows all inbound traffic except from the same security group.
Custom Security Group
- A new Security Group has different rules.
- It denies all inbound traffic.
- It allows all outbound traffic.