DEV Community

Cover image for Security Groups & Network ACLs
Clinton Ogechi
Clinton Ogechi

Posted on • Edited on

Security Groups & Network ACLs

#aws #cloud #cloudcomputing

Security groups and Network ACLs are similar in that they allow you to control access to AWS resources within your VPC. Howerver, SGs allow you to control inbound and outbound traffic at the instance level, while NACLs offer similar capabilities at the VPC subnet level.

Aim

To provide a comprehensive, step-by-step guide understanding on how to configure and manage key components such as VPCs, subnets, internet gateways, route tables, security groups, and Network ACLs, ensuring a secure and scalable environment for deploying AWS resources.

Objective

  • Demonstrate the creation and configuration of a VPC and its associated components, including public and private subnets.
  • Illustrate the setup and association of Security Groups and Network ACLs to control inbound and outbound traffic at both the instance and subnet levels.
  • Guide readers through the process of launching and securely accessing an EC2 instance within the configured VPC environment.

Steps

1. Create a VPC

  1. Log in to the AWS Management Console.
  2. Navigate to the VPC Dashboard.
  3. Click on Your VPCs in the left-hand menu.
  4. Click on Create VPC.
  5. Enter the following details: Name tag: MyVpc IPv4 CIDR block: 10.0.0.0/16 IPv6 CIDR block: No IPv6 CIDR Block Tenancy: Default
  6. Click on Create VPC.

Image description

2. Create Subnets

  1. Create Public Subnet
  2. In the VPC Dashboard, click on Subnets.
  3. Click on Create subnet.
  4. Enter the following details: Name tag: PublicSubnet, VPC: Select MyVpc, Availability Zone: Choose one (e.g., af-south-1a ), IPv4 CIDR block: 10.0.1.0/24.
  5. Click on Create subnet.

Image description

Create Private Subnet

  1. In the VPC Dashboard, click on Subnets.
  2. Click on Create subnet again.
  3. Enter the following details: Name tag: PrivateSubnet VPC: Select MyVpc Availability Zone: Choose one (e.g., af-south-1b ) IPv4 CIDR block: 10.0.2.0/24
  4. Click on Create subnet.

Image description

3. Create an Internet Gateway

  1. Click on Create internet gateway.
  2. Enter the following details:Name tag: MyInternetGateway
  3. Click on Create internet gateway. Image description
  4. Select the newly created internet gateway, then click on*Actions* and select Attach to VPC.
  5. Choose MyVpc and click on Attach internet gateway. Image description

4. Create Route Tables

Create Public Route Table

  1. In the VPC Dashboard, click on Route Tables.
  2. Click on Create route table.
  3. Enter the following details: Name tag: PublicRouteTable VPC: Select MyVpc
  4. Click on Create route table. Image description
  5. Select the newly created route table, click on Routes, then click on Edit routes.
  6. Add the following route: Destination: 0.0.0.0/0 Target: Select Internet Gateway and then select MyInternetGateway
  7. Click on Save routes. Image description
  8. Click on the Subnet associations tab, then click on Edit subnet associations.
  9. Select PublicSubnet and click on Save associations. Image description

Create Private Route Table

  1. Click on Create route table again.
  2. Enter the following details: Name tag: PrivateRouteTable VPC: Select MyVpc
  3. Click on Create route table. Image description
  4. No need to add routes for the private route table at this point unless you have a specific setup (e.g., NAT Gateway for internet access)
  5. Click on the Subnet associations tab, then click on Edit subnet associations. Select PrivateSubnet and click on Save associations. Image description

5. Create Security Groups

Create Public Security Group

  1. In the EC2 Dashboard, click on Security Groups.
  2. Click on Create security group.
  3. Enter the following details: Name tag: PublicSG Description: Security group for public instances VPC: Select MyVpc
  4. Add Inbound Rules: Type: SSH Protocol: TCP Port Range: 22 Source: 0.0.0.0/0 (Allow access from anywhere)
  5. Add Outbound Rules: The default outbound rule allows all traffic.
  6. Click on Create security group

Image description

Image description

6. Create Network ACLs

Create Public Network ACL

  1. In the VPC Dashboard, click on Network ACLs.
  2. Click on Create network ACL.
  3. Enter the following details: Name tag: PublicNACL VPC: Select MyVpc
  4. Click on Create network ACL.
  5. Add Inbound Rules: Rule #: 100 Type: SSH Protocol: TCP Port Range: 22 Source: 0.0.0.0/0 (Allow access from anywhere)
  6. Add Outbound Rules: Rule #: 101 Type: Custom TCP Protocol: TCP Port Range: 1024-65535 Destination: 0.0.0.0/0

Image description

Image description

Associate with Subnet:

  1. Select the Subnet: Choose the public subnet to associate with this NACL.
  2. Click on Save.

Create Private Network ACL

  1. In the VPC Dashboard, click on Network ACLs.
  2. Click on Create network ACL.
  3. Enter the following details: Name tag: PrivateNACL VPC: Select MyVpc
  4. Click on Create network ACL.
  5. Add Inbound Rules:

Rule #: 100
Type: SSH
Protocol: TCP
Port Range: 22
Source: 0.0.0.0/0 (Allow access from anywhere)

Rule #: 101
Type: Custom TCP
Protocol: TCP
Port Range: 1024-65535
Source: 0.0.0.0/0 (Allow access from anywhere)

Image description

Image description

Associate with Subnet:

  1. Select the Subnet: Choose the private subnet to associate with this NACL.
  2. Click on Save.

7. Create Ec2 Instance

  1. Click on Launch Instance.
  2. Enter the following details: Name: PublicServer AMI: Choose an Amazon Linux 2 AMI (HVM), SSD Volume Type Instance Type: t2.micro (or another type as needed) Key Pair: Select an existing key pair or create a new one Network: Select MyVpc Subnet: Select PublicSubnet Auto-assign Public IP: Enable Security Group: Select PublicSG
  3. Click on Launch Instance

8. Connect to an EC2 Instance Using EC2 Instance Connect

  1. Navigate to the EC2 Dashboard.
  2. Select the PublicServer Instance.
  3. Click on Connect at the top of the page.
  4. Choose EC2 Instance Connect as the connection method.
  5. Click on Connect to open the terminal.

Image description

Conclusion

Security Groups (SGs) and Network ACLs (NACLs) are essential for controlling access to AWS resources within a VPC. SGs manage traffic at the instance level with stateful filtering, while NACLs provide stateless filtering at the subnet level. Together, they offer a robust security framework, ensuring both individual instance protection and broader network security within your VPC. This layered approach enhances the overall security and resilience of your AWS environment.

Top comments (0)

Read next

karthiksakthiveltechie profile image

AWS CodePipeline V2 type pipelines supports to automatically retry a stage if there is a failure in the stage.

Karthik Sakthivel -

hana_sato profile image

Next-Gen Cloud Data Warehouse: Transforming Data Management for the Future

Hana Sato -

mahinur05 profile image

🚀 Deploying Node.js Application with PM2, NGINX, and SSL Configuration 🚀

Mahinur Rahman -

rashwanlazkani profile image

Building an AI-Powered iOS Chat App with Amazon Bedrock and Swift

Rashwan Lazkani -