Abhijit Shenolikar's Blog

AWS Security group and NACL Demo

Abhijit Shenolikar's photo
Abhijit Shenolikar
·

3 min read

  1. we have created custom VPC.

    1. Create EC2 instance in custom VPC.

    2. SSH into EC2 instance and updated packages and run command.

      python3 -m http.server 8000 (When you execute this command, it starts a simple HTTP server on your local machine. This server will serve files from the current directory.)

    3. if you try to access http server on EC2 (using public IP) as port is not allowed. Only SSH is allowed in inbound rules. (See screenshots below)

    4. check Existing NACL inbound rules – NACL is allowing all inbound traffic.

    5. Now go to Security group of EC2 instance is sg-00a4b034e1b5af4f4 - launch-wizard-4 and edit inbound rule and add port 8000

    6. As we have added the port , now we can access the webpage.

    7. Now edit the inbound rule of NACL and disable the 8000 port at NACL level by modifying the inbound rule to deny.

    8. As we have blocked the port at NACL level, now we are unable to access the URL.

10 . Now edit the inbound rule again as per below and try again to access the URL.

Rule number 100 - All traffic allow.

Rule number 200 - Deny traffic

Rule number * - all traffic deny.

  1. We are allowed to access the URL because lowest number is 100 which says all traffic is allowed and even security group level we have allowed 8000 port hence traffic flows to instance

  2. Now again modify the inbound rule at NACL level like below

    Rule 110 – Deny port 8000

    Rule 200 – allow all traffic

    now we can see Traffic did not reach the URL because we have blocked specific port at NACL level.

key points to note

  1. Security Groups operate at Instance (Network Interface) level. Security Group has to be assigned explicitly to the instance. Network ACLs at the subnet level. Applies automatically to all instances deployed in the associated subnet.

  2. Security groups are stateful. Return traffic is allowed, regardless of the rules.
    e.g. If you allow an incoming traffic on port 8000, the outgoing traffic on port 8000 will be automatically allowed.

    Network ACLs are stateless. Return traffic must be explicitly allowed by the rules. Meaning any changes applied to an incoming rule will not be applied to outgoing rule.
    e.g. If you allow an incoming port 8000, you would also need to apply the rule for outgoing traffic.

  3. In security group you can specify allow rules, but not deny rules.Network ACL supports allow and deny rules.

  4. Instance can have multiple Security groups.Subnet can have only one NACL.

  5. Network ACL is the first layer of defense, whereas the Security group is the second layer of defense for inbound/ingress traffic.

    Security group first layer of defense, whereas Network ACL is the second layer of defense for outbound/egress traffic.

aws NACL