Gallery

5. Amazon Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud (VPC)

VPC Peering

AWS Privatelink

VPC Endpoints

Difference between VPC Peering, PrivateLink, and VPC Endpoints

AWS Managed VPN

AWS VPN CloudHub

AWS Direct Connect (DX)

VPC Flow Logs

Misc

Explore

Amazon Virtual Private Cloud (VPC)

Security Group & Network ACL's

Security Groups

Function: Act like a firewall at the instance level (network interface level).

Rules:

Only allow permit rules; no deny rules.

Implicit deny rule at the end of the group.

All rules are evaluated until a permit is encountered or implicit deny applies.

Can control ingress and egress traffic.

Stateful: Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Defaults:

Custom security groups: No inbound allow rules (all inbound traffic denied by default).

Default security groups: Inbound allow rules for traffic within the group.

All outbound traffic is allowed by default in both custom and default security groups.

Management:

Cannot delete the default security group within a VPC.

Security group names can be used as sources or destinations in other security groups.

Can use its own name as a source in inbound rules.

Security group members can be in any AZ or subnet within the VPC.

Membership changes take effect immediately.

Limits:

Up to 5 security groups per EC2 instance interface.

No limit on the number of EC2 instances within a security group.

Cannot block specific IP addresses (use NACLs for this).

⁠

Network ACLs (NACLs)

Function: Operate at the subnet level, hosted by the VPC router.

Rules:

Can have both permit and deny rules.

Numbered list of rules evaluated in order from lowest to highest until an explicit deny.

Separate inbound and outbound rules; each rule can allow or deny traffic.

Stateless: Responses are subject to rules for the direction of traffic (inbound/outbound).

Defaults:

Default NACL: Allows all inbound and outbound traffic.

Custom NACL: Denies all inbound and outbound traffic by default until rules are added.

Management:

Each subnet must be associated with a NACL (if not manually, then by default NACL).

A NACL can be associated with multiple subnets, but each subnet can only have one NACL at a time.

Do not filter traffic between instances in the same subnet.

Preferred for blocking specific IPs or ranges (security groups cannot do this).

Best Practices:

Leave spacing between rule numbers for easier management.

First line of defense; security groups are the second line.

Recommended to have software firewalls on instances.

Changes take effect immediately.

⁠

Difference between Security Group & NACL

Difference between Security Group & NACL

Security Group

Network ACL

Operates at the instance (interface level)

Operates at the subnet level

Supports allow rules only

Supports allow and deny rules

Stateful

Stateless

Evaluates all rules

Processes rules in order

Applies to an instance only if associated with a group

Automatically applies to all instances in the subnet it is associated with

There are no rows in this table

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.