What is Security Groups and Difference between Security Groups And NACL-Aws Blog Info

-

It adds a security layer to EC2 instances that control both inbound and outbound traffic at the instance level.

What is NACL?

NACL also adds an additional layer of security associated with subnets that control both inbound and outbound traffic at the subnet level.

Combining Security Group and NACL

Maximum number of rules that exist per NACL: 20

Maximum number of rules that can exist per Security Group: 50

Maximum number of Security Groups that can exist per instance: 5

Maximum number of rules that can exist per instance: 5*50 + 20 = 270

Differences b/w Security Group and NACL

What is a Security Group
Security GroupNACL (Network Access Control List)
It supports only allow rules, and by default, all the rules are denied. You cannot deny the rule for establishing a connection.It supports both allow and deny rules, and by default, all the rules are denied. You need to add the rule which you can either allow or deny it.
It is a stateful means that any changes made in the inbound rule will be automatically reflected in the outbound rule. For example, If you are allowing an incoming port 80, then you also have to add the outbound rule explicitly.It is a stateless means that any changes made in the inbound rule will not reflect the outbound rule, i.e., you need to add the outbound rule separately. For example, if you add an inbound rule port number 80, then you also have to explicitly add the outbound rule.
It is associated with an EC2 instance.It is associated with a subnet.
All the rules are evaluated before deciding whether to allow the traffic.Rules are evaluated in order, starting from the lowest number.
Security Group is applied to an instance only when you specify a security group while launching an instance.NACL has applied automatically to all the instances which are associated with an instance.
It is the first layer of defense.It is the second layer of defense.

  • A security group is a virtual firewall which is controlling the traffic to your EC2 instances.
  • When you first launch an EC2 instance, you can associate it with one or more security groups.
  • A Security group is the first defence against hackers.

Let's understand the concept of security group through an example.

  • Sign in to the AWS Management console.
  • Launch a new EC2 instance.
  • Choose an Amazon Machine Image.
Security Group
  • Choose the instance type. Suppose I choose the instance, i.e., t2.micro, and then click on the Next.
Security Group
  • Now, configure the Instance details. Keep all the details as default, and then click on the Next.
Security Group
  • Attach the EBS Volume to your EC2 instance. By default, Root is the default EBS volume which is attached to your EC2 instance. Click on the Next.
Security Group
  • Add tags.
Security Group
  • Configure Security Group. Select an existing security group that you created previously, i.e., WebServer.
Security Group

Security Group

The above screen shows that a WebServer is a security group that consists of inbound rules such as protocol, port range, and source address.

  • Click on the Review and Launch button.
Security Group

From the above screen, we observe that the security group, WebServer is open to the world means that SSH port is open to the world.

  • Click on the Launch button.
  • Create a new key-pair. A key-pair allows you to connect to your instance securely.
Security Group
  • Click on the Launch Instances.
  • A key-pair is generated with .pem extension. Convert the pem file into ppk file by using putygen tool.
  • Open the putty.
  • Enter the host name, i.e., ec2-user@18.222.2.1, and save the host name in a session logging.
  • Click on the SSH appearing on the right-side of the putty, move to the Auth and then attach the ppk file.
  • Run the command sudo su to move to the root level and then update the EC2 instance by running the command yum update -y.
  • Install the Apache server so that EC2 instance becomes a web server by running the command yum install httpd -y.
  • Run the command cd /var/www/html to set the path.
  • Now, create a text editor by using the command nano index.html.
  • Start the Apache server by running the command service httpd start.
  • After starting the server, copy the public IP address, and paste it to the browser.
Security Group
  • Security group consists of inbound rules, and the inbound rules are created by us only. Suppose I add three inbound rules, i.e., HTTP, SSH, and HTTPS.
Security Group
  • We can also delete the inbound rule. Suppose I want to delete the Http protocol, then click on the Edit button, and then click on the save button.
Security Group

Deleting the HTTP protocol from the security group would not allow us to see the Http, and this change is applied to the group immediately.

Note: An inbound rule consists of a source of the traffic and port range. If we are implementing any rules in the security group, then it happens very quickly.

  • We can also Edit the Outbound rule. Suppose I delete the All traffic rule, click on the Save button.
Security Group

Copy and paste an IP address to the web browser and run it.

Security Group

We got the same output. Therefore, we can say that it allows the traffic into an EC2 instance, and also will provide the responses without even any outbound rule set.

Note: When we add an inbound rule, then it automatically added in an outbound rule.

Move to the default security group. An Inbound rule of a default group consists of MYSQL/Aurora and RDP.

Security Group
  • We can add multiple groups to a single EC2 instance. Suppose I want to add a default security group to an EC2 instance. Move to the EC2 instance, click on the Actions dropdown menu. Move to the Networking, and then click on the Change Security Group.
Security Group
  • Now, check the default security group which you want to add to your EC2 instance.
Security Group

Some important points to remember:

  • All inbound traffic is blocked by Default, i.e., you need to add the traffic such as HTTP, HTTPs, etc.
  • All outbound traffic is allowed automatically.
  • You can have any number of EC2 instances within a security group.
  • You can have multiple security groups attached to EC2 instance./li>
  • Security groups are stateful, i.e., if you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again.

Comments

Post a Comment

Popular posts from this blog

Amazon Route 53-AWS Blog Info

-
Image
Amazon Route 53  is a highly available and scalable Domain Name System (DNS) web service. It is designed for developers and corporates to route the end users to Internet applications by translating human readable names like  www.mydomain.com , into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. How to Configure Amazon Route 53? Following are the steps to configure Route 53. Step 1  − Open the Amazon Route 53 console using this link −  https://console.aws.amazon. com/route53/ . Step 2  − Click create hosted zone option on the top left corner of the navigation bar. Step 3  − A form page opens. Provide the required details such as domain name and comments, then click the Create button. Step 4  − Hosted zone for the domain will be created. There will be four DNS endpoints called delegation set and these endpoints must be updated in the domain names Nameserver settings. Step 5  − If it is  godaddy.com  th...
Read more

Introduction To Amazon Web services-AWS Blog Info

-
Image
·   AWS stands for  Amazon Web Services . ·   The AWS service is provided by the Amazon that uses distributed IT infrastructure to provide different IT resources available on demand. It provides different services such as infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS). ·   Amazon launched AWS, a cloud computing platform to allow the different organizations to take advantage of reliable IT infrastructure. Uses of AWS ·   A small manufacturing organization uses their expertise to expand their business by leaving their IT management to the AWS. ·   A large enterprise spread across the globe can utilize the AWS to deliver the training to the distributed workforce. ·   An architecture consulting company can use AWS to get the high-compute rendering of construction prototype. ·   A media company can use the AWS to provide different types of content such as ebox or audio files to t...
Read more

What is DNS(Domain name Services)-AWS Blog Info

-
Image
DNS stands for Domain Name System. DNS is used when you use an internet. DNS is used to convert human-friendly domain names (such as  https://www.javatpoint.com ) into an Internet Protocol (IP) address. IP addresses are used by computers to identify each other on the network. IP addresses are of two types,  i.e., Ipv4 and Ipv6. Top Level Domains Domains are seperated by a string of characters seperated by dots. For example,  google.com ,  gmail.com , etc. The last word in a domain name is known as a Top Level Domain. The second word in a domain name is known as a second level domain name. For example: .com:  .com is a top-level domain. .edu:  .edu is a top-level domain. .gov:  .gov is a top-level domain. . co.uk :  .uk is a top-level domain name while .co is a second level domain name. . gov.uk :  .uk is a top-level domain name while .gov is a second level domain name. The Top level domain names are controlled by IANA (Internet Assigned Numbe...
Read more