VPCs can be protected with 2 layers of firewalls; One for a subnet (NACL) and another for an instance (Security Group).
Network Access Control List (NACL)
- NACL controls the traffic across the boundary of subnets.
- Any traffic inside subnet is not affected by NACL.
- NACL operates at Layer 4 (Transport – TCP/UDP) – Stateless (state is a session-layer concept).
- For a given inbound rules, the corresponding outbound rules should be allowed.
- A subnet must be associated with a NACL, which only impacts traffic crossing the boundary of a subnet.
- NACL is a collection of rules that can explicitly allow or deny traffic based on its protocol, port range, and source/destination.
- Rules are processed in numbered order, lowest first.
- When a match is found, the processing stops. The “*” rule is processed last.
- The default is an implicit deny. (catch-all deny)
- NACL has two sets of rules:
- Inbound: From outside of a subnet to inside
- Outbound: From inside of a subnet to outside
- A default VPC has a default NACL, which allows all inbound and outbound traffics.
- Custom network ACL denies all inbound and outbound traffics.
- Custom NACL does not have Rule #100 that allows all traffic.
- Ephemeral Ports: When a client initiates communication with a server, it uses the well-known port numbers, but the response might use the ephemeral port on the client. NACL outbound rules should allow this.
Security Groups
A Security Group is a software firewall that can be attached to an EC2 instance and AWS network interfaces.
- Each group has inbound rules and outbound rules.
- A security group has a hidden (implicit/default) Deny rule.
- Only allow rules can be specified, and it cannot explicitly deny traffic.
- You cannot block specific IPs using security group.
- Security groups are stateful, which means that for any allowed traffic, the return traffic is automatically enabled. (OSI Layer 5 – Session)
- Security group can be shared across two VPCs in the same region.
- Changes to security groups take effect immediately.
- You can attach multiple security groups to an EC2 instance.
- Each ENI is allowed up to 5 security groups.
- You can have any number of EC2 instances within a security group.
- A default VPC creates a default security group.
- It disallows all inbound traffic except from the same security group.
- Allows all traffic between instances in the same security group
- It allows all outbound traffic.
- It disallows all inbound traffic except from the same security group.
- A new Security Group has different rules.
- It denies all inbound traffic.
- It allows all outbound traffic.