Table of contents
- Welcome back!
- Making Public Subnet 1...Public
- Network Access Control List (NACL)
- Create Public Subnet NACL
- Adding Inbound Rules to NACL
- Adding Outbound rules to NACL
- Associating NACL with Subnets
- Create the Private Network ACL
- Security Groups
- Create Public Web Server Security Group
- Create Private App Server Security Group
Welcome back!
In Part 2 of this series, we will be securing our network environment by creating Network Access Control Lists (NACL) & Security Groups.
Let's get started!
Making Public Subnet 1...Public
By default, nondefault subnets have the IPv4 public addressing attribute set to false, and default subnets have this attribute set to true. An exception is a nondefault subnet created by the Amazon EC2 launch instance wizard — the wizard sets the attribute to true.
In future steps, we will launch an EC2 Instance into the Public Subnet which will now automatically have an Ipv4 address assigned to it.
Enter VPC in the Services search bar at the top left of the AWS Console:
- Click on VPC:
In the VPC dashboard under Security
- Click Subnets
Ensure that Public Subnet 1 is selected
- With Public Subnet 1 selected, at the top right click Actions > Edit Subnet Settings:
- Click "Enable auto-assign public Ipv4 address":
Network Access Control List (NACL)
A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level. You can use the default network ACL for your VPC, or you can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups in order to add an additional layer of security to your VPC.
Create Public Subnet NACL
- In the left-hand pane of the VPC dashboard, under security, click Network ACLs:
- Click Create Network ACL:
In the Create Network ACL page
Enter PublicSubnetACL as Name
Select SmallProjectA as VPC
- Click Create Network ACL:
Adding Inbound Rules to NACL
Adding the inbound rule that uses port range 32768-65535 will allow responses from outbound requests such as requesting patches/updates.
In the Network ACL screen
Select PublicSubnetACL
- Click Actions > Edit Inbound Rules:
Add three inbound rules
Rule Number: 100, Type: HTTP (80), Source: 0.0.0.0/0
Rule Number: 200, Type: All ICMP -IPv4, Source: 0.0.0.0/0
Rule Number: 300, Type: Custom TCP, Port Range:32768-65535, Source: 0.0.0.0/0
Adding Outbound rules to NACL
You must create an outbound rule on a network ACL since network ACLs are stateless. This means that incoming traffic is not automatically allowed to be responded to. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it.
On the Network ACL screen ensure that the PublicSubnetACL is selected:
- Click Actions > Edit outbound rules:
You must create an outbound rule on a network ACL since network ACLs are stateless. This means that incoming traffic is not automatically allowed to be responded to. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it.
Add one outbound rule
Rule Number: 100, Type: All ICMP - IPv4, Source: 0.0.0.0/0
- Click save changes:
Associating NACL with Subnets
Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
In the Network ACL screen, ensure the PublicSubnetACL is selected
- Click Actions > Edit Subnet Associations
Create the Private Network ACL
Complete the following for the Private Network ACL
Create Network ACL
- Name: PrivateSubnetACL, VPC: SmallProjectA
Add 2 Inbound Rules:
Rule Number: 100, Type: HTTP (80), Source: 0.0.0.0/0
Rule Number: 300, Type: Custom TCP, Port Range: 32768-65535, Source: 0.0.0.0/0
Add 1 Outbound Rule:
- Rule Number: 100, Type: All ICMP Ipv4, Source: 0.0.0.0/0
Edit 2 Subnet Associations:
Add Private Subnet 1
Add Private Subnet 2
*For any property not specified, use the default value
Security Groups
A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.
Create Public Web Server Security Group
In the left-hand navigation pane of the VPC dashboard
- Click Security Groups:
In the Security Group screen
- Click Create security Group:
In the Create Security Group screen enter:
Security Group Name: WebServerSPASG, VPC: SmallProjectA
Add 3 Inbound Rules:
Type: HTTPS, Source: 0.0.0.0/0
Type: All ICMP - IPv4, Source: 0.0.0.0/0
Type: HTTP, Source: 0.0.0.0/0
Add 1 Outbound Rule:
Type: All traffic, Source: 0.0.0.0/0
- Click Create Security Group
Create Private App Server Security Group
The private app server security group has identical rules to the public web server security group except the incoming traffic source is the WebServerSPASG security group. Utilize all aforementioned steps to complete the creation of the AppServerSPASG security group.
In the Create Security group screen enter:
Security Group Name: AppServerSPASG, VPC: SmallProjectA
Add 3 Inbound Rules:
Type: HTTPS, Custom Source: WebServerSPASG
Type: All ICMP - IPv4, Custom Source: WebServerSPASG
Type: HTTP, Custom Source: WebServerSPASG
Add 1 Outbound Rule:
Type: All traffic, Source: 0.0.0.0/0
- Click Create Security Group
We have now laid the groundwork for launching our Web and App servers in the public and private subnets, respectively.
So what have we completed?
Enabled Public Access for a subnet
Created a Network ACL for both public and private subnets
Created security groups for the servers we will launch in the upcoming steps
In Part 3 of this series, we will:
Launch our Ec2 Instances with a script to install web server dependencies
Install CloudWatch Agent for custom logging
Add Auto Remediation for overutilization
Stress test our server
Great job! See you in the final installment of this series.