Part 2: Secure the Network Environment

Part 2: Secure the Network Environment

·

5 min read

Welcome back!

In Part 2 of this series, we will be securing our network environment by creating Network Access Control Lists (NACL) & Security Groups.

Let's get started!

Making Public Subnet 1...Public

By default, nondefault subnets have the IPv4 public addressing attribute set to false, and default subnets have this attribute set to true. An exception is a nondefault subnet created by the Amazon EC2 launch instance wizard — the wizard sets the attribute to true.

In future steps, we will launch an EC2 Instance into the Public Subnet which will now automatically have an Ipv4 address assigned to it.

  • Enter VPC in the Services search bar at the top left of the AWS Console:

    • Click on VPC:

  • In the VPC dashboard under Security

    • Click Subnets

  • Ensure that Public Subnet 1 is selected

    • With Public Subnet 1 selected, at the top right click Actions > Edit Subnet Settings:

  • Click "Enable auto-assign public Ipv4 address":

Network Access Control List (NACL)

A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level. You can use the default network ACL for your VPC, or you can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups in order to add an additional layer of security to your VPC.

Create Public Subnet NACL

  • In the left-hand pane of the VPC dashboard, under security, click Network ACLs:

  • Click Create Network ACL:
  • In the Create Network ACL page

    • Enter PublicSubnetACL as Name

    • Select SmallProjectA as VPC

      • Click Create Network ACL:

Adding Inbound Rules to NACL

Adding the inbound rule that uses port range 32768-65535 will allow responses from outbound requests such as requesting patches/updates.

  • In the Network ACL screen

    • Select PublicSubnetACL

      • Click Actions > Edit Inbound Rules:

  • Add three inbound rules

    • Rule Number: 100, Type: HTTP (80), Source: 0.0.0.0/0

    • Rule Number: 200, Type: All ICMP -IPv4, Source: 0.0.0.0/0

    • Rule Number: 300, Type: Custom TCP, Port Range:32768-65535, Source: 0.0.0.0/0

Adding Outbound rules to NACL

You must create an outbound rule on a network ACL since network ACLs are stateless. This means that incoming traffic is not automatically allowed to be responded to. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it.

  • On the Network ACL screen ensure that the PublicSubnetACL is selected:

    • Click Actions > Edit outbound rules:

You must create an outbound rule on a network ACL since network ACLs are stateless. This means that incoming traffic is not automatically allowed to be responded to. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it.

  • Add one outbound rule

    • Rule Number: 100, Type: All ICMP - IPv4, Source: 0.0.0.0/0

      • Click save changes:

Associating NACL with Subnets

Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

  • In the Network ACL screen, ensure the PublicSubnetACL is selected

    • Click Actions > Edit Subnet Associations

Create the Private Network ACL

  • Complete the following for the Private Network ACL

    • Create Network ACL

      • Name: PrivateSubnetACL, VPC: SmallProjectA
    • Add 2 Inbound Rules:

      • Rule Number: 100, Type: HTTP (80), Source: 0.0.0.0/0

      • Rule Number: 300, Type: Custom TCP, Port Range: 32768-65535, Source: 0.0.0.0/0

    • Add 1 Outbound Rule:

      • Rule Number: 100, Type: All ICMP Ipv4, Source: 0.0.0.0/0
    • Edit 2 Subnet Associations:

      • Add Private Subnet 1

      • Add Private Subnet 2

*For any property not specified, use the default value

Security Groups

A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.

Create Public Web Server Security Group

  • In the left-hand navigation pane of the VPC dashboard

    • Click Security Groups:

  • In the Security Group screen

    • Click Create security Group:

  • In the Create Security Group screen enter:

    • Security Group Name: WebServerSPASG, VPC: SmallProjectA

    • Add 3 Inbound Rules:

      • Type: HTTPS, Source: 0.0.0.0/0

      • Type: All ICMP - IPv4, Source: 0.0.0.0/0

      • Type: HTTP, Source: 0.0.0.0/0

    • Add 1 Outbound Rule:

      • Type: All traffic, Source: 0.0.0.0/0

        • Click Create Security Group

Create Private App Server Security Group

The private app server security group has identical rules to the public web server security group except the incoming traffic source is the WebServerSPASG security group. Utilize all aforementioned steps to complete the creation of the AppServerSPASG security group.

  • In the Create Security group screen enter:

    • Security Group Name: AppServerSPASG, VPC: SmallProjectA

    • Add 3 Inbound Rules:

      • Type: HTTPS, Custom Source: WebServerSPASG

      • Type: All ICMP - IPv4, Custom Source: WebServerSPASG

      • Type: HTTP, Custom Source: WebServerSPASG

    • Add 1 Outbound Rule:

      • Type: All traffic, Source: 0.0.0.0/0

        • Click Create Security Group

We have now laid the groundwork for launching our Web and App servers in the public and private subnets, respectively.

So what have we completed?

  • Enabled Public Access for a subnet

  • Created a Network ACL for both public and private subnets

  • Created security groups for the servers we will launch in the upcoming steps

In Part 3 of this series, we will:

  • Launch our Ec2 Instances with a script to install web server dependencies

  • Install CloudWatch Agent for custom logging

  • Add Auto Remediation for overutilization

  • Stress test our server

Great job! See you in the final installment of this series.