Concepts
Network Access Control Lists (ACLs)
A Network ACL is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might consider a Network ACL as the first line of defense for your VPC. Here’s how it works:
- Stateless: Unlike Security Groups, Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
- Rules: Network ACLs contain a numbered list of rules that are evaluated in order, starting with the lowest numbered rule. AWS recommends starting the rule number with 100 to allow for insertion of new rules.
- Allow/Deny: Each rule either allows or denies traffic.
- Subnet Association: A Network ACL is associated with one or more subnets. Each subnet in a VPC must be associated with a Network ACL. If you don’t explicitly associate a subnet with a Network ACL, the subnet is automatically associated with the VPC’s default Network ACL.
- Default ACL: Your VPC automatically comes with a default Network ACL, and by default, it allows all inbound and outbound IPv4 and IPv6 traffic.
Example Network ACL rules:
100 ALLOW TCP 80 (HTTP) from 0.0.0.0/0 to 0.0.0.0/0
200 ALLOW TCP 443 (HTTPS) from 0.0.0.0/0 to 0.0.0.0/0
* DENY ALL traffic
Security Groups
Security Groups act as a virtual firewall for your EC2 instances to control inbound and outbound traffic. Here is how they are used:
- Stateful: Security Groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
- Instance Level: Security groups operate at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.
- Rules: You can specify separate rules for inbound (ingress) and outbound (egress) traffic. By default, all inbound traffic is blocked, and all outbound traffic is allowed.
- Elasticity: You can associate a security group with multiple instances and a single instance with multiple security groups.
Example Security Group rules for an EC2 instance:
| Inbound Rule | Protocol | Port Range | Source | Description |
|---|---|---|---|---|
| 1 | TCP | 80 | 0.0.0.0/0 | Allow HTTP traffic from anywhere |
| 2 | TCP | 22 | 203.0.113.0/24 | Allow SSH access from a specific IP range |
| 3 | TCP | 443 | 0.0.0.0/0 | Allow HTTPS traffic from anywhere |
Outbound rules typically allow all traffic to exit unless you specifically tailor the outbound rules otherwise.
Comparison between Network ACLs and Security Groups
| Network ACLs | Security Groups | |
|---|---|---|
| Scope | Subnet-level | Instance-level |
| Stateful/Stateless | Stateless | Stateful |
| Rules Processing | Rules are processed in numerical order | All rules are evaluated before deciding to allow traffic |
| Default Behavior | By default, allows all inbound and outbound traffic (default ACLs) | By default, allow all outbound, deny all inbound |
| Rule Type | Allow and Deny rules | Allow rules only |
| Use Case | Use for broad traffic control across multiple subnets | Use for granular control over individual instances |
Conclusion
Understanding and correctly implementing Network ACLs and Security Groups are crucial for maintaining a secure VPC environment. As you study for the AWS Certified Cloud Practitioner exam, be sure to grasp how these security measures interact with each other and how they can be layered to create a defense-in-depth strategy for your AWS resources. By meticulously configuring both, you can ensure that your AWS infrastructure is resilient against unauthorized access and potential security threats.
Answer the Questions in Comment Section
True or False: In Amazon VPC, security groups are stateful, whereas network ACLs are stateless.
- A. True
- B. False
Answer: A. True
Explanation: Security groups in a VPC are stateful, meaning they keep track of the state of a connection and automatically allow return traffic. Network ACLs are stateless and don’t maintain any record of previous connections.
A network ACL has a set of numbered rules that are evaluated in what order?
- A. Alphabetical order
- B. Reverse numerical order (highest to lowest)
- C. Random order
- D. Numerical order (lowest to highest)
Answer: D. Numerical order (lowest to highest)
Explanation: Network ACL rules are evaluated in numerical order, starting with the lowest numbered rule.
True or False: Security groups in AWS can only allow traffic but cannot deny traffic.
- A. True
- B. False
Answer: A. True
Explanation: Security groups are stateful and can only have allow rules. They cannot explicitly deny traffic; if traffic is not explicitly allowed, it’s denied by default.
Which of the following services facilitate encrypted communication within a VPC?
- A. AWS Shield
- B. AWS WAF
- C. TLS/SSL
- D. Amazon Macie
Answer: C. TLS/SSL
Explanation: TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are cryptographic protocols that provide secure communication over a computer network, which can be used within a VPC for encrypting data in transit.
True or False: It is possible to associate multiple security groups with an Amazon EC2 instance.
- A. True
- B. False
Answer: A. True
Explanation: An Amazon EC2 instance can be associated with multiple security groups, providing granular control over the traffic to and from the instance.
How are network ACLs evaluated when deciding whether to allow or deny traffic?
- A. Only the first matching rule is applied, and evaluation stops.
- B. All rules are matched, and the most specific rule is applied.
- C. Rules are evaluated based on the port numbers only.
- D. Rules are evaluated based on the source and destination, in addition to the port numbers.
Answer: A. Only the first matching rule is applied, and evaluation stops.
Explanation: For network ACLs, the rules are evaluated in order, starting from the lowest number, and as soon as a rule matches the traffic, it’s either allowed or denied, and no further evaluation takes place.
True or False: When you create a new Amazon VPC, it comes with a default network ACL that allows all inbound and outbound traffic.
- A. True
- B. False
Answer: A. True
Explanation: By default, a new VPC has a default network ACL that allows all inbound and outbound IPv4 and IPv6 traffic.
Security groups operate at which layer of the OSI model?
- A. Network Layer
- B. Application Layer
- C. Data Link Layer
- D. Transport Layer
Answer: D. Transport Layer
Explanation: Security groups work at the transport layer, where they filter traffic based on TCP/UDP ports and IP protocols.
Multiple select: Which of the following statements are true regarding AWS VPC security groups and network ACLs?
- A. Security groups support allow rules only.
- B. Network ACLs can filter traffic leaving and entering a subnet.
- C. Security groups limit traffic at the VPC boundary.
- D. Network ACLs are evaluated based on the rule number, from lowest to highest.
Answer: A. Security groups support allow rules only., B. Network ACLs can filter traffic leaving and entering a subnet., D. Network ACLs are evaluated based on the rule number, from lowest to highest.
Explanation: Security groups support only allow rules and filter traffic to EC2 instances, not at VPC boundaries. Network ACLs filter traffic leaving and entering a subnet and are evaluated based on rule numbers, from the lowest to the highest.
True or False: Security groups can be applied to an EC2 instance only during the instance’s launch.
- A. True
- B. False
Answer: B. False
Explanation: Security groups can be assigned to an EC2 instance both at the time of launch and after the instance has been created.
True or False: You can block specific IP addresses using security groups.
- A. True
- B. False
Answer: B. False
Explanation: Security groups do not provide the functionality to block specific IP addresses. However, you can use network ACLs to deny traffic from specific IP addresses.
Which AWS service allows you to monitor the network traffic within your AWS environment?
- A. AWS Config
- B. VPC Flow Logs
- C. AWS Inspector
- D. AWS Trusted Advisor
Answer: B. VPC Flow Logs
Explanation: VPC Flow Logs enable you to capture information about the IP traffic going to and from network interfaces in your VPC, allowing you to monitor the traffic within your AWS environment.
Great overview of how AWS services can render VMs on end-user devices!
Can someone explain the difference between Amazon WorkSpaces and Amazon AppStream 2.0?
Thanks for the information, this will help me a lot in prepping for my exam!
This blog is lacking deeper insights on the cost implications of these services.
Does anyone have experience with using Amazon AppStream 2.0 for CAD software?
Appreciate the blog post!
Can Amazon WorkSpaces be integrated with my on-premise Active Directory?
Thanks for this useful overview!