Create a custom VPC network ACL
Welcome to CloudAffaire and this is Debjeet
In the last blog post, we have created a custom VPC security group and enabled SSH over port 22.
In this blog post we are going to create a custom VPC network ACL for our VPC and explicitly DENY all access to our public subnet. Below is the configuration diagram for this demo.
Network ACL: A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
Security Group VS Network ACL:
|Security Group||Network ACL|
|Operates at the instance level||Operates at the subnet level|
|Supports allow rules only||Supports allow rules and deny rules|
|Is stateful: Return traffic is automatically allowed, regardless of any rules||Is stateless: Return traffic must be explicitly allowed by rules|
|We evaluate all rules before deciding whether to allow traffic||We process rules in number order when deciding whether to allow traffic|
|Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on||Automatically applies to all instances in the subnets it’s associated with (therefore, you don’t have to rely on users to specify the security group)|
In this demo, we are going to create a custom VPC network ACL to explicitly DENY all access to our public subnet.
Create a custom VPC network ACL:
Step 1: Login to AWS console and navigate to ‘VPC’.
Step 2: Navigate to ‘Network ACLs’ and click ‘Create network ACL’.
Step 3: Provide a name and select your VPC. Click ‘Create’.
Our custom network ACL successfully created.
Note: Though we have created a custom network ACL it is not associated with any subnet. In order to apply this ACL to our public subnet, we need to associate the public subnet with this ACL.
Step 4: Click ‘Edit subnet associations’ located under ‘Subnet associations’.
Step 5: Select the public subnet and click ‘Associate’.
Our public subnet successfully associated with the custom ACL.
The default ACL allows all traffic flow to the subnet it is associated. But this is not the case for any custom ACL. For any custom ACL, all traffics are denied by default and we need to explicitly allow traffic for it to flow to the subnets. Hence all the traffic to our public subnet is blocked once it is associated with the custom ACL.
Default ACL rules:
Note: You can observe that there is an entry for DENY with * in our default ACL. This ensures that traffic is denied if it does not match any allow rule.
Custom ACL rules:
If you try to connect or ping the EC2 instance created in the previous demo, the connection will fail.
Hope you have enjoyed this article. In the next blog post, we are going to discuss flow logs in VPC that can be used to monitor your network traffic.
To get more details on VPC, please refer below AWS documentation