Create A Custom VPC Network ACL

Create A Custom VPC Network ACL

Create a custom VPC network ACL

Hello Everyone

Welcome to CloudAffaire and this is Debjeet

In the last blog post, we have created a custom VPC security group and enabled SSH over port 22.

https://cloudaffaire.com/create-a-custom-vpc-security-group/

In this blog post we are going to create a custom VPC network ACL for our VPC and explicitly DENY all access to our public subnet. Below is the configuration diagram for this demo.

Create A Custom VPC Network ACL

Network ACL: A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

Security Group VS Network ACL:

Security Group Network ACL
Operates at the instance level Operates at the subnet level
Supports allow rules only Supports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rules Is stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow traffic We process rules in number order when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on Automatically applies to all instances in the subnets it’s associated with (therefore, you don’t have to rely on users to specify the security group)

 

In this demo, we are going to create a custom VPC network ACL to explicitly DENY all access to our public subnet.

Create a custom VPC network ACL:

Step 1: Login to AWS console and navigate to ‘VPC’.

Create A Custom VPC Network ACL

Step 2: Navigate to ‘Network ACLs’ and click ‘Create network ACL’.

Create A Custom VPC Network ACL

Step 3: Provide a name and select your VPC. Click ‘Create’.

Create A Custom VPC Network ACL

Our custom network ACL successfully created.

Create A Custom VPC Network ACL

Note: Though we have created a custom network ACL it is not associated with any subnet. In order to apply this ACL to our public subnet, we need to associate the public subnet with this ACL.

Step 4: Click ‘Edit subnet associations’ located under ‘Subnet associations’.

Create A Custom VPC Network ACL

Step 5: Select the public subnet and click ‘Associate’.

Create A Custom VPC Network ACL

Our public subnet successfully associated with the custom ACL.

Create A Custom VPC Network ACL

The default ACL allows all traffic flow to the subnet it is associated. But this is not the case for any custom ACL. For any custom ACL, all traffics are denied by default and we need to explicitly allow traffic for it to flow to the subnets. Hence all the traffic to our public subnet is blocked once it is associated with the custom ACL.

Default ACL rules:

Create A Custom VPC Network ACL

Create A Custom VPC Network ACL

Note: You can observe that there is an entry for DENY with * in our default ACL. This ensures that traffic is denied if it does not match any allow rule.

Custom ACL rules:

Create A Custom VPC Network ACL

Create A Custom VPC Network ACL

If you try to connect or ping the EC2 instance created in the previous demo, the connection will fail.

Create A Custom VPC Network ACL

Hope you have enjoyed this article. In the next blog post, we are going to discuss flow logs in VPC that can be used to monitor your network traffic.

To get more details on VPC, please refer below AWS documentation

https://docs.aws.amazon.com/vpc/index.html

 

Leave a Reply

Close Menu