Tutorial / Cram Notes
In AWS, a route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed. Each subnet in a VPC must be associated with a route table, which can be either the main route table or a custom table you’ve created. The route table controls the routing for the subnet’s traffic.
Key Concepts:
- Main route table: Manages the default routing for all subnets that do not have a custom route table associated.
- Custom route tables: Allow for more granular routing rules for individual subnets.
- Routes: Contain destination CIDR blocks and the target (e.g., internet gateway, virtual private gateway, NAT gateway, VPC peering connection).
- Subnet associations: Determining which route table is controlling the traffic for a subnet.
Example Route Table:
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
| 0.0.0.0/0 | igw-id |
In the above table, traffic within the VPC (10.0.0.0/16) is kept local, while all other traffic is directed to an Internet Gateway (igw-id).
Security Groups
Security groups act as a virtual firewall for instances to control inbound and outbound traffic at the instance level. Unlike network ACLs, security groups are stateful: if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
Key Concepts:
- Ingress rules: Control the incoming traffic to your instances.
- Egress rules: Control the outbound traffic from your instances.
- Stateful: Return traffic is automatically allowed, regardless of rules.
- Applies to instances: Not to subnets.
Example Security Group Configuration:
Ingress Rules:
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| SSH | TCP | 22 | 203.0.113.0/24 |
| HTTP | TCP | 80 | 0.0.0.0/0 |
Egress Rules:
| Type | Protocol | Port Range | Destination |
|---|---|---|---|
| All Traffic | All | All | 0.0.0.0/0 |
The above example allows SSH access from a specific IP range and HTTP access from anywhere. It allows all outbound traffic.
Network ACLs
Network Access Control Lists (ACLs) are an additional layer of security for your VPC that act as a firewall for controlling traffic in and out of one or more subnets. Unlike security groups, network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
Key Concepts:
- Stateless: Return traffic must be explicitly allowed by rules.
- Subnet-level: Network ACLs apply at the subnet level.
- Rules are evaluated in order (lowest numbered rule first).
Example Network ACL:
Inbound Rules:
| Rule # | Type | Protocol | Port Range | Source | Allow/Deny |
|---|---|---|---|---|---|
| 100 | SSH | TCP | 22 | 203.0.113.0/24 | Allow |
| 200 | HTTP | TCP | 80 | 0.0.0.0/0 | Allow |
| * | ALL Traffic | ALL | ALL | 0.0.0.0/0 | Deny |
Outbound Rules:
| Rule # | Type | Protocol | Port Range | Destination | Allow/Deny |
|---|---|---|---|---|---|
| 100 | All Traffic | All | All | 0.0.0.0/0 | Allow |
| * | ALL Traffic | ALL | ALL | 0.0.0.0/0 | Deny |
Here, we’re allowing SSH and HTTP traffic inbound and all traffic outbound. Any traffic not matched by a rule is denied.
Key Differences and When to Use Each
Route Tables are used to define how traffic is directed within your VPC, whether it stays within your VPC, goes to the internet, or other AWS services.
Security Groups are best when you need to control traffic to individual instances or groups of instances.
Network ACLs are a good choice for broad, stateless rules at the subnet level. They provide an additional layer of security.
While preparing for the AWS Certified Solutions Architect – Professional exam, understanding how to implement and combine these three components effectively is crucial for designing secure, scalable, and highly available networks in AWS.
Practice Test with Explanation
True or False: In AWS, every subnet must be associated with at least one route table.
- A) True
- B) False
Answer: A) True
Explanation: Every subnet in AWS must be associated with at least one route table, which controls the routing for that subnet.
True or False: Route tables in AWS can be used to direct traffic between Internet Gateways and subnets.
- A) True
- B) False
Answer: A) True
Explanation: Route tables in AWS are used to determine where network traffic from subnets or the VPC is directed, including to Internet Gateways for external traffic.
Which of the following can be used as a target for routes in a VPC route table? (Select TWO)
- A) Internet Gateway
- B) AWS Lambda function
- C) Virtual Private Gateway
- D) Amazon EC2 instance
- E) Network ACL
Answer: A) Internet Gateway, C) Virtual Private Gateway
Explanation: Targets for routes in a VPC route table include Internet Gateways (for the internet) and Virtual Private Gateways (for VPN connections). Lambda functions, EC2 instances, and Network ACLs are not used as direct targets in route tables.
True or False: Network Access Control Lists (ACLs) are stateful, meaning they automatically return traffic for sessions that are initiated from a subnet to an external destination.
- A) True
- B) False
Answer: B) False
Explanation: Network ACLs are stateless, which means they do not maintain the state of a network session, and inbound and outbound traffic rules must be set explicitly.
True or False: Security Groups in AWS are associated with individual instances, whereas Network ACLs are associated with subnets.
- A) True
- B) False
Answer: A) True
Explanation: Security Groups in AWS are associated with individual EC2 instances to control inbound and outbound traffic, while Network ACLs are associated with subnets to control the traffic entering and leaving a subnet.
Which AWS feature allows you to control the traffic to and from individual EC2 instances?
- A) Route tables
- B) Internet Gateway
- C) Network ACLs
- D) Security Groups
Answer: D) Security Groups
Explanation: Security Groups are used to control the traffic to and from individual EC2 instances.
True or False: Security Groups support allow rules only and not deny rules.
- A) True
- B) False
Answer: A) True
Explanation: Security Groups only support allow rules. If traffic is not expressly allowed, it is automatically denied.
True or False: Changes to a Network ACL are automatically applied to all subnets associated with the ACL.
- A) True
- B) False
Answer: A) True
Explanation: Changes made to a Network ACL are immediately applied to all the subnets associated with that ACL.
Which of the following actions are possible with Network ACLs but not with Security Groups? (Select TWO)
- A) Blocking specific IP addresses
- B) Stateful traffic filtering
- C) Defining allow and deny rules
- D) Filtering outbound traffic
- E) Assigning to specific EC2 instances
Answer: A) Blocking specific IP addresses, C) Defining allow and deny rules
Explanation: Network ACLs allow you to block specific IP addresses and define both allow and deny rules. Security Groups do not have deny rules and cannot be used to block specific IP addresses directly.
True or False: Network ACLs evaluate all rules before deciding whether to allow traffic.
- A) True
- B) False
Answer: B) False
Explanation: Network ACLs evaluate rules in numerical order, starting with the lowest numbered rule. It will apply the first rule that matches traffic (allow or deny) and ignores the rest.
True or False: Each subnet in a VPC can be associated with multiple Network ACLs.
- A) True
- B) False
Answer: B) False
Explanation: Each subnet in a VPC can be associated with only one Network ACL at a time; however, a single Network ACL can be associated with multiple subnets.
Which of the following statements is true regarding AWS route tables and subnets? (Select ONE)
- A) Subnets can be associated with multiple route tables at the same time.
- B) Route tables contain a default route for local VPC traffic.
- C) Route tables prevent traffic between subnets by default.
- D) Subnets do not have a default route table until one is explicitly associated.
Answer: B) Route tables contain a default route for local VPC traffic.
Explanation: Route tables always include a local route for communication within the VPC, which enables instances in different subnets of the same VPC to communicate with each other.
Interview Questions
Can you explain the difference between stateful and stateless firewall features within AWS VPC, particularly concerning security groups and network ACLs?
Security groups are stateful, meaning that if you send a request from your instance, the response traffic for that request is automatically allowed, irrespective of inbound rules. Network ACLs, on the other hand, are stateless, which means that they do not automatically allow response traffic based on allowed outbound traffic – both inbound and outbound rules should be set explicitly.
How do route tables work within a VPC and what is the significance of the main route table?
Route tables direct network traffic from within a VPC to different destinations. Each subnet in a VPC must associate with a route table, which determines where network traffic is directed. The main route table is the default route table that automatically associates with any new subnet you create within a VPC unless you specify another route table.
Describe how you can secure an Amazon EC2 instance within a VPC using security groups and network ACLs.
To secure an EC2 instance, you can employ both security groups and network ACLs. Security groups are attached to the instance and act as a virtual firewall controlling incoming and outgoing traffic at the instance level. You can define rules based on protocols, ports, and source/destination IP addresses. Network ACLs are applied at the subnet level and provide a layer of security that controls traffic from and to subnets within your VPC.
In AWS, what types of traffic can be controlled by Network ACLs that security groups can’t manage?
Network ACLs can filter traffic based on IP protocol, CIDR block, source/destination ports, and allow for both allow and deny rules, which provides the capability to block IP addresses. They can also control traffic between subnet resources, whereas security groups can’t deny traffic, they only permit specified traffic and cannot explicitly deny certain IP addresses from establishing a connection.
How would updating a route table’s rules affect existing connections to instances within its associated subnets?
Route tables in AWS influence new connections, not existing ones. So, if you update a route table, it will affect new route decisions and how traffic is directed for new connections. Existing connections will remain unaffected as they have been already established using the previous routing rules.
Is it possible to attach more than one security group to an EC2 instance in a VPC, and if so, how do the rules combine?
Yes, multiple security groups can be attached to an EC2 instance. The rules from each security group are aggregated to form a set of permissive rules. AWS evaluates all rules from all security groups associated with the instance to allow traffic.
How would you configure a network ACL to create a demilitarized zone (DMZ) within your VPC?
To create a DMZ, typically you’d place your public-facing instances (such as web servers) in a public subnet. The network ACL for the public subnet should allow traffic from the internet on necessary ports, while the network ACL for the private subnet (where databases or application servers might reside) should allow traffic only from the public subnet. You may need to restrict outbound traffic in the private subnets to ensure resources there cannot initiate communication to the internet directly.
When designing a VPC for high availability, how do route tables play a role?
For high availability, ensure that your VPC has multiple subnets across different Availability Zones. Route tables direct traffic within the VPC, so you will configure them to make sure that there is routing redundancy, there are no single points of failure, and that you have proper routes for each AZ to handle traffic if one AZ becomes unavailable.
What happens if you do not explicitly associate a subnet with a route table in a VPC?
If you don’t associate a subnet with a route table explicitly, it automatically associates with the main route table of the VPC.
How are Network ACLs evaluated by AWS when multiple entries (rules) are applicable to a packet?
AWS evaluates entries in a Network ACL in numeric order, from the lowest to the highest number. The first rule that matches the traffic type (inbound or outbound), source/destination, and protocol is applied irrespective of any other rules that may apply further down the list.
How can you ensure that an EC2 instance in a private subnet can access the Internet for updates without allowing inbound traffic from the Internet?
To provide internet access to an EC2 instance in a private subnet, you can use a NAT Gateway or a NAT instance in a public subnet. This allows the instance to initiate outbound traffic to the Internet and receive a response, but it does not allow unsolicited inbound traffic from the Internet.
What’s the purpose of having both security groups and network ACLs in AWS? Isn’t one type of access control enough?
Having both security groups and Network ACLs provides a layered security approach. Security groups provide instance-level security, acting like a firewall for associated instances. Network ACLs offer a subnet-level layer of security, serving as a second line of defense. They complement each other, allow for stateful and stateless filtering, and can be managed and audited separately to adhere to security best practices and meet various compliance requirements.
This blog post on Route tables, security groups, and network ACLs is really helpful for my AWS Certified Solutions Architect – Professional (SAP-C02) exam prep. Thanks!
Can someone explain the difference between security groups and network ACLs? I’m still confused.
Thanks for the detailed explanation on network ACLs! Exactly what I needed.
Amazing post! Much appreciated.
I think this blog should have included more examples.
Any tips for configuring route tables efficiently?
This is useful for understanding the differences between stateful and stateless filtering. Thanks!
Great info on route tables. Helped me understand their role in VPC.