🪴 Quartz 4.0

AWS Networking - Network ACLs & Security Groups

Feb 03, 20254 min read

[AWS Networking - Network ACLs & Security Groups]

Security Groups: Instance-Level Firewalls

Definition and Purpose of Security Groups

  • Security groups act as virtual firewalls at the instance level.

  • They control both inbound and outbound traffic for resources like EC2 instances, load balancers, and RDS databases.

  • By default, all inbound traffic is denied, and all outbound traffic is allowed.

Stateful Nature of Security Groups

  • Security groups are stateful, meaning return traffic for allowed inbound requests is automatically permitted.

  • For example, if HTTP traffic is allowed inbound on Port 80, the corresponding outbound responses are automatically allowed.

  • This simplifies management by eliminating the need for matching outbound rules for every inbound rule.

Configuring Security Group Rules

  • Inbound rules specify the type of traffic allowed and its source.

  • Outbound rules define the type of traffic allowed to leave the instance.

  • Rules can reference other security groups, enabling security group chaining.

Example: Security Group for an Application Load Balancer

  • Create a security group named “ALBsg” for the load balancer.

  • Add inbound rules for HTTP (Port 80) and HTTPS (Port 443) traffic from the Internet (0.0.0.0/0).

  • Associate the security group with the load balancer to allow Internet traffic.

Network Access Control Lists (Network ACLs)

Definition and Purpose of Network ACLs

  • Network ACLs provide an additional layer of security at the subnet level.

  • They control inbound and outbound traffic for subnets.

  • Unlike security groups, network ACLs are stateless, requiring explicit rules for both directions.

Default Behavior of Network ACLs

  • By default, network ACLs allow all inbound and outbound traffic.

  • This behavior can be modified to meet specific security requirements.

  • Network ACLs are useful for implementing granular security policies.

Stateless Nature of Network ACLs

  • Stateless means that return traffic must be explicitly allowed by outbound rules.

  • Both inbound and outbound rules must be defined for bidirectional communication.

  • This provides more control but requires careful configuration.

Use Cases for Network ACLs

  • Network ACLs are ideal for securing subnets with specific traffic requirements.

  • They can be used to troubleshoot network issues by temporarily modifying rules.

  • In simple use cases, default settings may suffice, but advanced scenarios may require customization.

Troubleshooting Network Connectivity Issues

Key Areas to Verify

  • Ensure the VPC has an Internet Gateway properly attached.

  • Check route tables for appropriate rules to direct traffic.

  • Verify route table associations with subnets are correctly configured.

Security Group Checks

  • Confirm security groups have the necessary inbound and outbound rules.

  • Ensure resources are associated with the correct security groups.

  • Review security group chaining to verify dependencies between resources.

Network ACL Checks

  • Review network ACL rules to ensure they allow required traffic.

  • Verify both inbound and outbound rules are correctly configured.

  • Adjust rules temporarily for troubleshooting purposes if needed.

Instance Configuration Checks

  • Confirm instances are associated with the correct subnets and security groups.

  • Verify instance-level settings, such as private IP addresses and public IP assignments.

  • Check for any misconfigurations that could impact connectivity.

Summary of Networking Concepts

VPCs and Subnets

  • VPCs provide isolated network environments, while subnets organize resources.

  • Route tables determine whether subnets are public or private.

  • Proper configuration of Internet Gateways and NAT Gateways is essential for connectivity.

Security Groups

  • Security groups act as stateful firewalls at the instance level.

  • They simplify management by automatically allowing return traffic for inbound rules.

  • Rules can reference other security groups, enabling flexible configurations.

Network ACLs

  • Network ACLs provide stateless security at the subnet level.

  • They require explicit rules for both inbound and outbound traffic.

  • Useful for granular control and troubleshooting network issues.

Troubleshooting Steps

  • Verify VPC and subnet configurations, including route tables and gateways.

  • Check security group and network ACL rules for necessary permissions.

  • Ensure instances are correctly associated with subnets and security groups.

Practical Application: Troubleshooting Database Connectivity

Scenario Overview

  • The application load balancer sends Internet traffic to EC2 instances.

  • EC2 instances connect to RDS database instances for queries.

  • Connectivity issues may arise due to misconfigured networking rules.

Steps to Troubleshoot

  • Verify the RDS database instance is in the correct subnet.

  • Check the security group for the database allows TCP traffic on Port 3306.

  • Ensure the EC2 instance security group is referenced in the database security group.

  • Review network ACLs for rules allowing database traffic.

Common Issues and Resolutions

  • Missing or incorrect security group rules for database traffic.

  • Misconfigured route tables preventing traffic flow.

  • Network ACLs blocking required inbound or outbound traffic.

Importance of Troubleshooting Skills

  • Network connectivity issues are common in AWS environments.

  • Understanding VPCs, subnets, security groups, and network ACLs is essential.

  • Troubleshooting skills enable efficient resolution of connectivity problems.

Graph View

Backlinks

  • No backlinks found