AWS-Security-Group-NACL.md

AWS VPC [Security Group & NACL]

1. From the Load balancer the request will go to private subnet, their WE CAN ADD SECURITY FOR PRIVATE SUBNET LAYER which is called NACL.
2. If we don't add the security over there then it we have add the security
3. EC2 instance level is called Security Group

5. IN AWS SECURITY IS ALWAYS A SHARED RESPONSIBILITY that means AWS says we will give security by VPC, Security Group, NACL, API along with that we need help of devops or aws admins or systems enginner or network to be more secured.
6. NACL is called last point of security in AWS.
7. Before request reaching application we have NACL OR SG

Security Group

1. It serves at the instance level
2. Bydefault aws gives the instance with vpc
3. In Security groups we have 2 things inbound traffic and outbound traffic
4. We user is trying to send request to the app'n present in EC2 then it is called INBOUND Traffic
5. The application responses to the user is called OUTBOUND traffic.
6. Ex: Amazon website, User trying to access amazon website and amazon website is tryping to access payment gateway like amazon pay or razorpay. User --> Amazon site is inbound Amazon webiste --> Amazonpay is outbound.
7. We have to manage inbound and outbound security for the ec2 instance.
8. AWS bydefault created security group for the instance and allows ALL THE PORT, Expect port 25
9. AWS bydefault deny inbound traffic

PORT 25

1. AWS does not allow outbound traffic for the PORT 25, Because it is mailing service
2. AWS by default allow port 25, because of any spaming activites etc

NACL (Network Access Control List)

1. Security group is applied for EC2 instance level, where applied at the subnet level
2. Ex: Devlopment team used EC2 instance with Jenkins server and for easy use they have allowed all the port instead of 8080
3. If devops engineers DENY TRAFFIC using NACL in the subnet level, even EC2 level is allowed then also appn will not get any traffic
4. If something is applied to subnet level bydefault it will be applied to all the instances with in the subnet
5. NACL will add additonal layer of security
6. We can also use NACL for automation
7. Ex: If we have 10000 of EC2 instead of adding Security group, add NACL for the subnet then will be followed to all the EC2 instance present it is easy then using security groups.
8. NACL == Deny traffic + Allow Traffic
9. In security group we have only allow option

1. ... lines represents virtual private cloud
2. We have create virtual private cloud and provide IP ADDRESS RANGE, AWS bydefault will create Internet gateway, NACL, Route table
3. additonal we will create EC2 instance and attach a security group for this EC2 instance

Create VPC

1. VPC --> Select VPC and More (To get AWS secuirty as well like igw and others)
2. Select ip range , 16,24,32 byefautl it is 16
3. Select availability zones and endpoint as required

Create Instance

1. Instance name --> key
2. Edit network settings --> Select vpc that we have created
3. subnet should be private that is industry pratice
4. assign ip -- enable
5. firewall -- use create group or exising group if you have alredy have it

NOTE:

1. IN VPC --> Network ACLs --> Inbound rules --> priority matters
2. Now from NACL all the traffic is allowed. So internet gateway forwards all the traffic to the route table to load balancer if we have load balancer
3. Now router table will forward the traffic to the EC2 instance
4. NACL is allowed now, But security group is blocking now.
5. We can block specific ip address with 16,32,14 as well