When studying for the AWS Certified Cloud Practitioner (CLF-C02) exam, understanding security in a Virtual Private Cloud (VPC) is crucial. Amazon VPC provides customers with a private slice of the AWS cloud where they can launch resources in a virtual network that they define. Two central aspects of VPC security options are network Access Control Lists (ACLs) and security groups. Let’s delve into each, identify their differences, and unravel their significance in AWS.
Network Access Control Lists (ACLs)
Network ACLs act as a virtual firewall for controlling inbound and outbound traffic at the subnet level in your VPC. They could be considered the first line of defense in network traffic control, even before security groups.
An ACL contains a list of rules that are enacted in ascending order by rule number. It starts with the lowest numbered rule. Once a rule is found that matches the traffic pattern, it is applied, regardless of any other possible matches in the list.
By default, each VPC comes with a modifiable default network ACL that allows all inbound and outbound traffic. When a new network ACL is created, it denies all traffic until the user sets the desired rules.
These lists can either allow or deny traffic based on:
- Protocol: IP, TCP, UDP, and ICMP
- Rule number: Rules processed in order number from lowest(highest priority) to highest.
- Source and destination: Determined by either the CIDR block or a specific IP address
- Port range: Such as HTTP (80), HTTPS (443), or SSH (22).
Security Groups
Unlike network ACLs, security groups are like virtual firewalls that regulate inbound and outbound traffic for instances, not subnets. A security group applies at the instance level, and all instances in a VPC can belong to up to five security groups.
Security groups are stateful, which means that if you send a request from your instance, the response traffic for that request is automatically allowed to flow in, regardless of inbound security rules.
Security groups deny any traffic that isn’t explicitly allowed, and by default, a security group includes an outbound rule that allows all outbound traffic. You can remove this rule and add outbound rules that allow specific outbound traffic only.
Comparison of Network ACLs and Security Groups
Network ACLs | Security Groups | |
---|---|---|
Level of application | Applied at the subnet level | Applied at the instance level |
State | Stateless: inbound and outbound traffic is treated separately | Stateful: outbound responses to inbound requests are automatically allowed |
Rule behavior | Allows rules to either allow or deny traffic | By default all traffic is denied, except for traffic allowed by rules |
Number of applicable rules | Ordered rules with separate inbound and outbound rules | Unordered with separate inbound and outbound rules |
Association with instances | Automatically associated with all instances in the subnet it’s associated with | Manually associated with instances at the time of launch or later on |
Understanding network ACLs and security groups is a stepping stone to mastering AWS VPCs’ security. For AWS Certified Cloud Practitioner (CLF-C02) examination preparation, these concepts will provide the foundational knowledge needed to understand AWS VPC better. Working with them in practice would provide a deeper understanding and hands-on experience.
Practice Test
True/False: A Network Access Control List (NACL) in AWS VPC operates at the subnet level.
- True
- False
Answer: True
Explanation: Network Access Control Lists (NACLs) are stateless; they operate at the subnet level and evaluate traffic entering or exiting a subnet.
Which of the following cannot be used to control traffic in a VPC?
- Security groups
- Network ACLs
- IAM roles
- Subnet masks
Answer: IAM roles
Explanation: While security groups, network ACLs and subnet masks are all used for controlling traffic within a VPC, IAM roles are used for managing user permissions and do not directly control traffic.
True/False: In AWS VPC, Security Groups are stateful, while Network ACLs are stateless.
- True
- False
Answer: True
Explanation: In AWS, Security Groups are stateful, meaning if you send a request from your instance, the response traffic for that request is automatically allowed back in, irrespective of inbound security rules. Network ACLs, however, are stateless, meaning they do not keep track of connection states.
Can a security group be associated with multiple EC2 instances within a VPC?
- Yes
- No
Answer: Yes
Explanation: In Amazon VPC, a security group can be associated with multiple instances, providing a convenient way to manage traffic rules for similar instances.
In AWS VPC, does a security group act at the instance level or the subnet level?
- Instance Level
- Subnet Level
Answer: Instance Level
Explanation: Security groups in an AWS VPC operate at the instance level, not the subnet level. This provides a high level of control over inbound and outbound traffic.
True/False: By default, an Amazon VPC blocks all inbound traffic and allows all outbound traffic.
- True
- False
Answer: False
Explanation: By default, a VPC allows all outbound traffic but blocks all inbound traffic that hasn’t been specifically allowed.
How many security groups can you assign to an EC2 instance in a VPC?
- One
- Up to 5
- Up to 50
Answer: Up to 5
Explanation: In a VPC, you can assign up to 5 security groups to an EC2 instance.
True/False: A VPC automatically comes with a default NACL that allows all inbound and outbound IPv4 traffic.
- True
- False
Answer: True
Explanation: When you create a new VPC, it automatically comes with a default NACL that allows all inbound and outbound IPv4 traffic.
Can inbound and outbound rules in a VPC security group be set independently of each other?
- Yes
- No
Answer: Yes
Explanation: Inbound and outbound rules in a VPC security group can be managed separately allowing granular control over access and security.
What is the effect of deleting a VPC’s default network ACL?
- The VPC becomes inaccessible
- The VPC reverts to its previous state
- No effect, since a VPC’s default NACL cannot be deleted
Answer: No effect, since a VPC’s default NACL cannot be deleted
Explanation: A VPC’s default network ACL cannot be deleted, therefore deleting it would have no effect.
True/False: A custom network ACL by default denies all inbound and outbound traffic until you add rules.
- True
- False
Answer: True
Explanation: A custom network ACL you create does block all inbound and outbound until you add inbound and outbound rules.
Interview Questions
What is a VPC in AWS?
A VPC (Virtual Private Cloud) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud, providing you a private section of the AWS cloud where you can launch AWS resources in a virtual network that you define.
What are Network ACLs in Amazon VPC?
Network Access Control Lists (ACLs) are a firewall for controlling traffic in and out of a VPC subnet. They provide a rule-based tool for inbound and outbound traffic at the protocol and subnet level.
Can you modify the default network ACL?
Yes, you can modify the default network ACL. However unlike a custom network ACL, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic by default.
What is the primary function of AWS Security Groups within a VPC?
Security Groups act as a virtual firewall for your instance to control the inbound and outbound traffic. When you launch an instance, you can associate one or more security groups with the instance.
How many Security Groups can you assign to an EC2 instance?
You can assign up to 5 security groups to an EC2 instance.
Can Network ACLs and Security Groups control both inbound and outbound traffic?
Yes, both Network ACLs and Security Groups are designed to control inbound (ingress) and outbound (egress) traffic.
Do Network ACLs stateful or stateless, and what is the importance of that?
Network ACLs are stateless, meaning they do not keep track of the state of a network connection. Each packet that flows through the network ACL is evaluated against all rules in the ACL separately, without regard to any other packet.
Are Security Groups in AWS stateful or stateless?
Security Groups in AWS are stateful, meaning if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
Can you specify the range of IP addresses for a VPC and its subnets?
Yes, when you create a VPC, you must specify an IPv4 CIDR block (a range of private IPv4 addresses). You can then add one or multiple subnets within this IP address range.
What is the main difference between a Network ACL and a Security Group in a VPC?
The main difference is that Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet. In contrast, Security Groups operate at the instance level and evaluate traffic for a particular EC2 instance.
What are the components of a Security Group rule in a VPC?
A rule in a security group includes the following components: Protocol type (TCP, UDP, ICMP), Port range, and Source or Destination, which can be a CIDR block or a Security Group.
Who can access resources that I have shared in a subnet that has an associated Network ACL that allows all inbound traffic?
All resources that are connected to that subnet can access the shared resources, provided their associated security groups also allow the necessary outbound traffic.
Can changes made to a Network ACL or Security Group take effect immediately?
Yes, changes made to a Network ACL or Security Group rules are automatically applied to all instances associated with it, and the changes take effect immediately.
Is there a limit on the number of rules that you can add to a Network ACL in AWS VPC?
Yes, by default AWS allows you to create up to 20 inbound and 20 outbound rules per Network ACL.
What are the default rules for a new security group in AWS VPC?
By default, a new security group includes an outbound rule that allows all outbound traffic, and does not include inbound rules. This means that no inbound traffic originating from another host is allowed unless you add inbound rules to the security group.