Today is mainly trying to demonstrate how to setup AWS VPC in an Enterprise Environment.
AWS Reference Architect for illustration
(This is just a VPC setup illustration reference, not following the below CIDR block configuration, not touching on the VPN Gateway, Direct Connect and VPC peering setup etc, we might need another post to illustrate those setups)
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing
AWS VPC Setup illustration
Login your AWS console
Go to VPC
Normally it is faster to launch VPC wizard for the VPC setup. However, for ease of understanding purpose, we will create the VPC manually.
Go to your VPC and create VPC
Input the VPC name and CIDR block
Note: At the appendix of this post, there is a note about how to calculate the CIDR range.
Next create Internet Gateway and give it a name
As you can see from below, the internet gateway you just created will be in “Detached” status. You will need to attach the Internet gateway to a VPC
Attach the Internet to the VPC we created for demo
Create 1 Public and 1 Private Subnet within the same VPC
Create Public Subnet
Create a Public Route Table,
add a route from anywhere 0.0.0.0 to the internet gateway
and associate it with the public subnet
Create Private Subnet
Create a Private Route Table and associate it with the private subnet
Up till now, we have created a VPC with a public subnet (attached with internet gateway) and a private subnet. From here we will touch on Network ACLs and Security Group. (Note: VPC security is more than just Network ACLs and Security Group –http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html )
Some important features of Network ACLs (NACL) and Security Group
| NACL | Security Group |
|---|---|
| NACL is associated with subnet, understood as the firewall or protection for the subnet. | Security groups are associated with an instance of a service, understood as a firewall to protect EC2 instances |
| These are stateless, meaning any change applied to an incoming rule isn’t automatically applied to an outgoing rule. | These are stateful, which means any changes to incoming rule is automatically applied to a rule which is outgoing. |
| It is considered to be the second layer of defence | It is considered to be the first defence layer |
| This means every rule is evaluated based on the order priority it has. | This means all rules are evaluated before they allow a traffic |
Network ACLs act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.
Consider the Network ACLs as the firewall for the subnet level where we can define rules to control inbound and outbound traffics towards subnet as below.
input NACLs name and select the VPC ID
In the NACLs, you can define the inbound and outbound rules. Bear in mind the below:
- it is stateless, rules applied in incoming traffics is not automatically applicable to outgoing traffics
- Every rules are evaluated base on the order priority it has
In the above inbound example, Rule 100 will evaluated first before Rule * will be evaluated.
Same applicable to out bound rules
After defining the inbound and outbound NACLs rules, associate the NACLs with the relevant subnet to enhance the security of the subnet as below.
Security Group act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
Create a new Security Group
Name your security group, Select the VPC you will create your Security Group under
Add your inbound and outbound rules accordingly
Security Group details
VPN Gateway, Direct Connect and VPC Peering will be illustrated in another post.
| Evernote helps you remember everything and get organized effortlessly. Download Evernote. |