Wednesday, April 7, 2021

AWS, VPC, Subnet, Internet Gateway, Route Tables, NACL, Security Groups

https://www.fugue.co/hubfs/Security-vs-NACLshs-1.png
https://www.fugue.co/blog/cloud-network-security-101-aws-security-groups-vs-nacls
https://medium.com/awesome-cloud/aws-difference-between-security-groups-and-network-acls-adc632ea29ae#:~:text=All%20rules%20in%20a%20security,order%2C%20from%20top%20to%20bottom.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html


VPC Peering : Connecting 2 VPC 

Data Flow inside AWS

VPC

Route Table : Once Data Arrives at Subnet, RT attached to Subnet decides where to route data traffic , It cannot block/unblock, it can just route
Data Traffic may want to come to My Subnet
Data Traffic may want to go from Subnet to Other Subnet or May want to Go to Outside World
Route to Local or Route to IGW or Route to NAT Gateway.
0.0.0.0.0 : Traffic meant for "NOT VPC Subnet"  -> Route to IGW or NAT
p.q.r.s/16  : "Subnet Traffic " -> Route Locally to Subnet

NACL : Once Data Traffic arrives at Subnet
It has to cross N/W Firewall - Subnet Firewall - known as NACL which may allow it or block it.
It checks Protocol Type, Port, Source/Destination (depending on Incoming/Outgoing Direction) and then allows or blocks, The rules are Numbered, If a Match is found, It can be DENY or ALLOW Rule and no further rules are processed.
Its stateless, You have to configure separate rule for incoming and outgoing and they both are independent of each other

Security Group :
It is stateful 
It has Incoming and Outgoing Rules
But Incoming is related to Outgoing 
It has no DENY/ALLOW rule flag
All Rules are ALLOW by default
Rule says 
->  Allow PROTOCOL on PORT from SOURCE  - Incoming
->  Allow PROTOCOL on PORT from DESTINATION - Outgoing
SSH is TCP Protocol on 22
HTTP is TCP protocol on 80
PING in NCMP Protocol
If Incoming Rule allowed SSH on Port 80 and I did not mention Allow SSH on Port 22 for Outgoing, Even Then SSH will be allowed in Outgoing because its stateful, it remembers.
If Outgoing Rule is allowed, on PORT 80 and We did  not Configure HTTP on Incoming Side
Even then SSH will be allowed on that Machine


Internet  :  Internet GW <-> VPC <-> Route Table   <->  NACL  <-> Security Group <-> EC2 Instance

NACL :
"Default" or not 
"Default" is a property of NACL
Default NACL has Implicit Mapping of all  Subnets.
stateless - Outbound/Inbount have no memory(no Statefulness)- Need to be Configured Separately
allow/deny property for each rule - Just in case we change our Mind later :-P
Default NACL allows all Traffic for both Inbound/Outbound
A new custom NACL denies all Traffic for both Inbound/Outbound
NACL is applied at Subnet Level (Firewall for Subnet)
NACL rules are numbered , Lower number gets evaluated 1st
                        Rules are created with specific increments, like the difference between 2 rules is either 1,10, 100 
NACL has * DENY Rule at the end , It cannot be deleted/modified
Inbound:    RuleNumber, Type, Protocol, PortRange, Source, Allow/Deny
Outbound: RuleNumber, Type, Protocol, PortRange, Destination, Allow/Deny
Each subnet is required to be associated with one—and only one—NACL
Each VPC has a default NACL - which allows all Traffic
In contrast, AWS processes NACL rules one at a time. 
Each NACL rule has a number, and AWS starts with the lowest numbered rule. 
If traffic matches a rule, the rule is applied and no further rules are evaluated.
If traffic doesn't match a rule, AWS moves on to evaluate the next consecutive rule
This default NACL has one "allow-all" and one "deny-all" rule for both inbound and outbound traffic, for a total of 4 default rules. 
A custom (non-default) NACL, it has one deny-all rule for both inbound and outbound traffic,total of 2 rules.
NACLs work at the subnet level.
NACLs are considered an optional form of defense for instances. A subnet must have a NACL, but by default, a NACL is configured to allow all traffic in and out.
Subnet can have only one NACL
Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.
Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.
VPC can have many NACL, but each Subnet is associated with 1 NACL only
Without Subnet explicilty associated to NACL, its rules have no effect
When you create a VPC, AWS automatically creates a Security Group, NACL[Default]
Default NACL has Implicit Mapping of all  Subnets.
NACL knows who its Subnets are !!


Security Group:
Security Group has no record of Instances connected to it, But Instances know which Security Group They Belong
No "Default", No "Main" attribute here but VPC comes with 1 Security Group where everything is allowed
No Instance can be made without - SG
security groups work at the instance level
Security groups are a required form of defense for instances, because an instance must be associated with at least one security group. You can't launch an instance without one, and you can't remove the only remaining security group from an existing instance.
However, a particular security group only applies to an instance if a user deliberately associates it with the instance, either at launch time or after the instance has been created.
                       Security group -Rules' dont have Allow/Deny - feature. If a Rule is there, its for Allow
                        If Rule is not there- It means its Denied Implicitly
Implicit deny, which means all traffic is denied unless an inbound or outbound rule explicitly allows it.
Security groups are stateful; they automatically allow return traffic, no matter what rules are specified. If your instance sends out a request, the connection is tracked and the response is accepted regardless of explicit inbound rules. If traffic is allowed into an instance, the response is allowed out regardless of explicit outbound rules
Security Groups are not numbered
AWS evaluates all rules for all the security groups associated with an instance before deciding whether to allow traffic in or out. The most permissive rule is applied—so remember that your instance is only as secure as your weakest rule.
Security groups don't need rules to evaluate response traffic. There's only a need to define inbound or outbound rules to evaluate requests, because once a request is permitted, its response is automatically permitted as well.
AWS created default security group has one default inbound rule allowing traffic from other instances associated with the same security group. 
A custom (non-default) security group, it has no inbound rules by default.
Inbound: Type,Protocol,Port range,Source,Description - optional
Outbound: Type,Protocol,Port range,Destination,Description - optional

Instance can have multiple Security groups. When you launch an instance in a VPC, you can assign up to 5 security groups to the instance
Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.
Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic.

Internet Gateway :
No "Default", No "Main" attribute here
"Attached/Detached"
IGW knows which VPC its connected to - Attribute "VPC ID"
A VPC can have  multiple IGW - Internet Gateways
Internet Gateway is associated/attached with VPC
But Only 1 IGW will be "Attached" , Rest will be in "Detached" mode

Route Table :
VPC has a "MAIN" Route Table, which VPC gets by default
"Main" is a property attribute of RT.
                        You cannot delete the main route table.
                        Route Table knows - Who its associated Subnets are - "Explicit subnet associations" - Attribute of RT
Route Table is associated with Subnet.
                        You cannot set a gateway route table as the main route table.
                        You can replace the main route table with a "Custom" route table.
Destination, Target, Status, Propagated
172.31.0.0/16 local
0.0.0.0/0         igw-0320a023a88aa238e
Subnets have not been explicitly associated with any route tables and are associated with Main route table.
Default"Main" Route Table has 2 Routes - 1st to "Local",2nd to "Internet Gateway"
"Custom" Route Table has Only 1 Local Route within VPC
Every route table contains a local route for communication within the VPC
Each route in a table specifies a destination and a target.
IPv4 and IPv6 traffic are treated separately. i.e. Routes to IPv4 and IPv6 addresses or CIDR blocks are independent of each other.
Route Priority — if your route table has multiple routes, we use the most specific route that matches the traffic (longest prefix match) to determine how to route the traffic.


Internet  :  Internet Gateway  <-> Route Table   <->  NACL  <-> Security Group <-> EC2 Instance

No comments:

Post a Comment

Azure - Pipeline - Add Approver for Stage

https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass