Skip to content

VPC Security

NACL

  • NACL - Network Access Control List. They are stateless
  • NACLs are associated with Subnets. Every Subnet has an associated NACL. It can be either default VPC NACL or a Custom NACL. One NACL can be associated with multiple Subnets
  • NACLs are stateless
  • NACLs have explicit ALLOW and DENY
  • Rules are processed in order based on Rule Number starting from lowest Rule Number
  • Whenever rule is matched processing stops. I.E if lower rule number is matched, higher rule number is not processed
  • A VPC is created with a default NACL. This rule has implicit deny and an ALLOW all rule. i.e. default NACL has no effect and it allows all traffic
  • Custom NACLs though only have implicity DENY rule by default.
  • Because NACLs allow EXPLICIT DENY, they are a good mechanism to block bad actors i.e. specifically block a compromised host for example
  • One can reference IPs/CIDR. Ports and Protocols but no logical resources can be referenced withing NACLs
  • They can be only assigned to Subnets
  • Generally we use Security Groups to allow traffice and NACLs to deny traffic

Security Groups

  • Security Groups are stateful. They automatically detect response traffic
  • If an INBOUND or OUTBOUND request is allowed, response to that request is automatically allowed
  • There is no EXPLICIT DENY in security groups.Hence can't block a specific bad actors
  • Security Groups allow referencing of logical resources like Security Groups themselves
  • Security Groups are not attached to instances or Subnets. They are attached to ENIs

NAT

  • NAT - Network Address Translation
  • Remapping of source or destination IP addresses to new values
  • IP Maquarading - Hiding a block of IP addresses e.g. CIDR behind one IP address
  • NAT gives private CIDR range outgoing internet access by using a single public IP address. This does not give incoming access.
  • Internet Gateway does public to private IP address translation on one IP address, NAT gateway does this to a block or a network
  • IF you want to give an Instance its own public IPV4 access then only IG is required , but if you want to give a bunch of instances or a network outbound internet access then a NG+IG is required
  • NG needs to run in public subnet & have a public IP address. In case of NG it uses an Elastic IP
  • NG are AZ resilient. Hence for Region resiliency , one NG in every AZ
  • NG are managed service & can scale up 45 Gbps. To increase available bandwidth one can deploy multiple NG & split the instances between them
  • NG do not support security groups. Only NACLs can be used
  • NG does not work with IPV6