Saturday, April 10, 2021

AWS : Internet <-> Internet GW <-> VPC <-> Route Table <-> NACL <-> Security Group <-> EC2 Instance

 Data Flow inside AWS

Internet  :  Internet GW <-> VPC <-> Route Table   <->  NACL  <-> Security Group <-> EC2 Instance


VPC

Route Table : Once Data Arrives at Subnet, RT attached to Subnet decides where to route data traffic , It cannot block/unblock, it can just route
Data Traffic may want to come to My Subnet
Data Traffic may want to go from Subnet to Other Subnet or May want to Go to Outside World
Route to Local or Route to IGW or Route to NAT Gateway.
0.0.0.0.0 : Traffic meant for "NOT VPC Subnet"  -> Route to IGW or NAT
p.q.r.s/16  : "Subnet Traffic " -> Route Locally to Subnet

NACL : Once Data Traffic arrives at Subnet
It has to cross N/W Firewall - Subnet Firewall - known as NACL which may allow it or block it.
It checks Protocol Type, Port, Source/Destination (depending on Incoming/Outgoing Direction) and then allows or blocks, The rules are Numbered, If a Match is found, It can be DENY or ALLOW Rule and no further rules are processed.
Its stateless, You have to configure separate rule for incoming and outgoing and they both are independent of each other

Security Group :
Determines the traffic that can reach/leave your instance.
It is stateful 
It has Incoming and Outgoing Rules
But Incoming is related to Outgoing 
It has no DENY/ALLOW rule flag
All Rules are ALLOW by default
Rule says 
->  Allow PROTOCOL on PORT from SOURCE  - Incoming
->  Allow PROTOCOL on PORT from DESTINATION - Outgoing
SSH is TCP Protocol on 22
HTTP is TCP protocol on 80
PING in NCMP Protocol
If Incoming Rule allowed SSH on Port 80 and I did not mention Allow SSH on Port 22 for Outgoing, Even Then SSH will be allowed in Outgoing because its stateful, it remembers.
If Outgoing Rule is allowed, on PORT 80 and We did  not Configure HTTP on Incoming Side
Even then SSH will be allowed on that Machine



No comments:

Post a Comment

Azure - Pipeline - Add Approver for Stage

https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass