Skin
Layout Boxed
Direction

[Lab] VPC Security with Network ACLs

Submitted by heartin on Sun, 02/25/2018 - 18:29

This is a continuation of the previous VPC lab.

 

Steps:

  1. Go to VPC Dashboard and click on Network ACLs tab.

  2. Verify current Network ACLs and all inbound and outbound rules.

  3. Create New Network ACL

    1. Provide a name (e.g. BuddyACL) and select our VPC.

    2. Click Create

    3. Once created, verify that all inbound and outbound traffic is denied.

  4. Select our Network ACL and go to Subnet Association tab

    1. Click edit

    2. Select public Subnet

    3. Click save

    4. Verify that the subnet count against new Network ACL is 1 and count for default Network ACL reduces to 1 from 2.

  5. Select our Network ACL and go to inbound rules and add following rules:

    1. Rule# = 100, Type = HTTP, Protocol = TCP, Port Range = 80, Source = 0.0.0.0/0, Allow / Deny = Allow.

    2. Rule# = 200, Type = HTTPS, Protocol = TCP, Port Range = 443, Source = 0.0.0.0/0, Allow / Deny = Allow.

    3. Rule# = 300, Type = SSH, Protocol = TCP, Port Range = 22, Source = 0.0.0.0/0, Allow / Deny = Allow.

    4. Rule# = 300, Type = Custom TCP Rule, Protocol = TCP, Port Range = 1024-65535, Source = 0.0.0.0/0, Allow / Deny = Allow.

    5. Notes:

      1. It is said to be a good practice to start rule# from 100.

      2. Custom TCP rule is required for Ephemeral Ports.

    6. Similarly, go to outbound rules and add same rules.

  6. Write a rule to block your own IP (or even your mobile’s IP)

    1. Add the rule with a number over HTTP allow rule (e.g. 101)

      1. Rule# = 101, Type = HTTP, Protocol = TCP, Port Range = 80, Source = <myip>/32, Allow / Deny = Deny.

      2. Verify that the Deny rule did not work.

    2. Add the rule with a number below  HTTP allow rule (e.g. 99)

      1. Verify that the Deny rule did work.

 

TODO:

  1. This is the last part of the VPC lab. Hence, cleanup your VPC and related things you crated in this lab to avoid any extra cost. First delete EC2 instances and load balancers and then the VPC.

  2. Try creating a VPC through the wizard: VPC Dashboard > Start VPC wizard. Remember to cleanup this as well after trying it out.

 

Important Notes (Exam Tips)

  1. Read about Ephemeral Ports:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html#VPC_ACLs_Ephemeral_Ports

Tags: 

AWS Networking Services

Partners and Platforms

Learn Serverless from Serverless Programming Cookbook

Contact

Please first use the contact form or facebook page messaging to connect.

Offline Contact
We currently connect locally for discussions and sessions at Bangalore, India. Please follow us on our facebook page for details.
WhatsApp (Primary): (+91) 7411174113
Phone (Escalations): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.

About

CloudMaterials is my blog to share notes and learning materials on Cloud and Data Analytics. My current focus is on Microsoft Azure and Amazon Web Services (AWS).

I like to write and I try to document what I learn to share with others. I believe that knowledge is useless unless you share it; the more you share, the more you learn.

Partner Sites

Recent comments

Photo Stream