Security groups and the network ACL

AWS Security Groups and the Access Control list can be found under the Security section of your VPC: 

VPC security

A security group is a stateful virtual firewall that controls inbound and outbound access for resources. Most of the time, we will use the security group as a way to limit public access to our EC2 instance. The current limitation is 500 security groups in each VPC. Each security group can contain up to 50 inbound and 50 outbound rules. You can use the following sample script to create a security group and two simple ingress rules: 

$ cat Chapter9_5_security_group.py
#!/usr/bin/env python3

import boto3

ec2 = boto3.client('ec2')

response = ec2.describe_vpcs()
vpc_id = response.get('Vpcs', [{}])[0].get('VpcId', '')

# Query for security group id
response = ec2.create_security_group(GroupName='mpn_security_group',
                                     Description='mpn_demo_sg',
                                     VpcId=vpc_id)
security_group_id = response['GroupId']
data = ec2.authorize_security_group_ingress(
    GroupId=security_group_id,
    IpPermissions=[
        {'IpProtocol': 'tcp',
         'FromPort': 80,
         'ToPort': 80,
         'IpRanges': [{'CidrIp': '0.0.0.0/0'}]},
        {'IpProtocol': 'tcp',
         'FromPort': 22,
         'ToPort': 22,
         'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}
    ])
print('Ingress Successfully Set %s' % data)

# Describe security group
#response = ec2.describe_security_groups(GroupIds=[security_group_id])
print(security_group_id)

We can execute the script and receive confirmation on the creation of the security group that can be associated with other AWS resources: 

$ python3 Chapter9_5_security_group.py
Ingress Successfully Set {'ResponseMetadata': {'RequestId': '<skip>', 'HTTPStatusCode': 200, 'HTTPHeaders': {'server': 'AmazonEC2', 'content-type': 'text/xml;charset=UTF-8', 'date': 'Wed, 18 Jul 2018 20:51:55 GMT', 'content-length': '259'}, 'RetryAttempts': 0}}
sg-<skip>

Network Access Control Lists (ACLs) is an additional layer of security that is stateless. Each subnet in VPC is associated with a network ACL. Since ACL is stateless, you will need to specify both inbound and outbound rules. 

The important differences between the security group and ACLs are as follows: 

  • The security group operates at the network interface level where ACL operates at the subnet level
  • For a security group, we can only specify allow rules but not deny rules, whereas ACL supports both allow and deny rules
  • A security group is stateful; return traffic is automatically allowed. Return traffic needs to be specifically allowed in ACL

Let's take a look at one of the coolest feature of AWS networking, Elastic IP. When I initially learned about Elastic IP, I was blown away by the ability of assigning and reassigning IP addresses dynamically. 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset