1
00:00:00,090 --> 00:00:00,923
‫Now let's talk about

2
00:00:00,923 --> 00:00:03,390
‫network security within our VPC.

3
00:00:03,390 --> 00:00:06,090
‫So we have Network ACL and Security Groups.

4
00:00:06,090 --> 00:00:07,370
‫So if we look at our VPC

5
00:00:07,370 --> 00:00:09,000
‫and look at our Public subnets,

6
00:00:09,000 --> 00:00:10,730
‫we have an EC2 Instance.

7
00:00:10,730 --> 00:00:13,400
‫And the first line of defense for our EC2 Instance,

8
00:00:13,400 --> 00:00:15,580
‫is a NACL or a Network ACL,

9
00:00:15,580 --> 00:00:17,900
‫which is a firewall that is controlling traffic

10
00:00:17,900 --> 00:00:20,240
‫from and to the subnets.

11
00:00:20,240 --> 00:00:22,420
‫So remember, it is at the Subnet level,

12
00:00:22,420 --> 00:00:23,480
‫in which we can define,

13
00:00:23,480 --> 00:00:25,270
‫ALLOW or DENY rules,

14
00:00:25,270 --> 00:00:27,760
‫and then attach at the Subnet level,

15
00:00:27,760 --> 00:00:30,540
‫and the rules can only include IP addresses.

16
00:00:30,540 --> 00:00:31,910
‫So if we look at this diagram,

17
00:00:31,910 --> 00:00:32,870
‫as we can see,

18
00:00:32,870 --> 00:00:35,030
‫the NACL is going to be filtering traffic

19
00:00:35,030 --> 00:00:36,970
‫in and out of the Subnet,

20
00:00:36,970 --> 00:00:39,920
‫before it reaches our EC2 Instance.

21
00:00:39,920 --> 00:00:41,490
‫The second line of defense we have,

22
00:00:41,490 --> 00:00:42,530
‫and we've been already using it

23
00:00:42,530 --> 00:00:43,870
‫so far in this course,

24
00:00:43,870 --> 00:00:45,280
‫are Security Groups.

25
00:00:45,280 --> 00:00:46,460
‫And this is a firewall,

26
00:00:46,460 --> 00:00:49,470
‫that controls traffic to and from an ENI,

27
00:00:49,470 --> 00:00:50,890
‫so lets take network interface,

28
00:00:50,890 --> 00:00:52,750
‫or an EC2 Instance,

29
00:00:52,750 --> 00:00:55,760
‫and the Security Groups can only have ALLOW rules.

30
00:00:55,760 --> 00:00:59,020
‫And finally, they can reference either IP addresses,

31
00:00:59,020 --> 00:01:00,760
‫and other security groups.

32
00:01:00,760 --> 00:01:01,880
‫So in this example,

33
00:01:01,880 --> 00:01:04,650
‫we have the Security Group around our EC2 Instance,

34
00:01:04,650 --> 00:01:06,310
‫that controls the traffic going in

35
00:01:06,310 --> 00:01:08,440
‫and out of our EC2 Instance.

36
00:01:08,440 --> 00:01:11,270
‫So the Security Group and NACL are quite different,

37
00:01:11,270 --> 00:01:12,730
‫the NACL is at the subnet level,

38
00:01:12,730 --> 00:01:16,210
‫and the security group is at the EC2 Instance level.

39
00:01:16,210 --> 00:01:17,510
‫And from an exam perspective,

40
00:01:17,510 --> 00:01:19,720
‫that should be all you need to know.

41
00:01:19,720 --> 00:01:21,140
‫Now there is a more complete,

42
00:01:21,140 --> 00:01:24,170
‫table around the differences of the Security Group

43
00:01:24,170 --> 00:01:25,390
‫and the Network ACL.

44
00:01:25,390 --> 00:01:27,190
‫Let's look at the most important ones

45
00:01:27,190 --> 00:01:28,740
‫and these are the first three.

46
00:01:28,740 --> 00:01:31,530
‫Well, a Security Group operates at the instance level,

47
00:01:31,530 --> 00:01:34,470
‫whereas the network ACL operates at the subnet level.

48
00:01:34,470 --> 00:01:37,040
‫A Security Group supports only ALLOW rules

49
00:01:37,040 --> 00:01:38,480
‫whereas a Network ACL supports

50
00:01:38,480 --> 00:01:40,630
‫ALLOW rules and DENY rules.

51
00:01:40,630 --> 00:01:42,610
‫And finally, in the Security Group,

52
00:01:42,610 --> 00:01:44,870
‫the return traffic is automatically allowed,

53
00:01:44,870 --> 00:01:45,820
‫regardless of any rule,

54
00:01:45,820 --> 00:01:47,400
‫so that's called statefulness,

55
00:01:47,400 --> 00:01:48,233
‫and in Network ACL,

56
00:01:48,233 --> 00:01:49,820
‫the returned traffic must be

57
00:01:49,820 --> 00:01:50,910
‫explicitly allowed by rules

58
00:01:50,910 --> 00:01:52,240
‫which is called stateless.

59
00:01:52,240 --> 00:01:53,073
‫So that's it.

60
00:01:53,073 --> 00:01:54,270
‫Again, from an exam perspective.

61
00:01:54,270 --> 00:01:55,370
‫I really think the first two

62
00:01:55,370 --> 00:01:57,310
‫or the first three rules are enough.

63
00:01:57,310 --> 00:01:59,410
‫So let's go into our default VPC

64
00:01:59,410 --> 00:02:01,020
‫to see what we have.

65
00:02:01,020 --> 00:02:02,990
‫So in our default VPC,

66
00:02:02,990 --> 00:02:05,420
‫on the left hand side, we can see for security,

67
00:02:05,420 --> 00:02:07,840
‫either security groups or Network ACLs.

68
00:02:07,840 --> 00:02:09,800
‫So if I click on security groups,

69
00:02:09,800 --> 00:02:11,750
‫we find the exact same security groups

70
00:02:11,750 --> 00:02:12,850
‫we had from before,

71
00:02:12,850 --> 00:02:14,960
‫when we were using the EC2 console.

72
00:02:14,960 --> 00:02:16,410
‫So this menu right here

73
00:02:16,410 --> 00:02:18,170
‫and the menu in the EC2 console,

74
00:02:18,170 --> 00:02:19,160
‫are the exact same.

75
00:02:19,160 --> 00:02:20,330
‫It depends or if you wanna see it

76
00:02:20,330 --> 00:02:22,400
‫from the perspective of VPC,

77
00:02:22,400 --> 00:02:23,400
‫or if you want to see it

78
00:02:23,400 --> 00:02:26,440
‫from the perspective of an EC2 Instance.

79
00:02:26,440 --> 00:02:28,600
‫So we have five security groups in here,

80
00:02:28,600 --> 00:02:29,650
‫and we can look obviously

81
00:02:29,650 --> 00:02:30,730
‫at the security group rules,

82
00:02:30,730 --> 00:02:32,370
‫for example, for launch-wizard-1

83
00:02:32,370 --> 00:02:33,900
‫which was created from before.

84
00:02:33,900 --> 00:02:35,910
‫As we can see in this security group,

85
00:02:35,910 --> 00:02:37,420
‫the inbound rules allowed HTTP

86
00:02:37,420 --> 00:02:41,460
‫on port 80 and SSH on port 22 from anywhere.

87
00:02:41,460 --> 00:02:42,480
‫For the about rules,

88
00:02:42,480 --> 00:02:44,880
‫it did allow all traffic on all ports,

89
00:02:44,880 --> 00:02:47,310
‫all protocols and anywhere effectively

90
00:02:47,310 --> 00:02:48,960
‫giving our EC2 Instance,

91
00:02:48,960 --> 00:02:51,900
‫the right to talk to any websites.

92
00:02:51,900 --> 00:02:52,873
‫Next for Network ACL

93
00:02:52,873 --> 00:02:54,420
‫that we haven't seen yet,

94
00:02:54,420 --> 00:02:55,440
‫as we can see,

95
00:02:55,440 --> 00:02:57,570
‫one Network ACL has been created,

96
00:02:57,570 --> 00:03:00,310
‫and it is associated at the subnet level,

97
00:03:00,310 --> 00:03:02,830
‫so associated with three subnets.

98
00:03:02,830 --> 00:03:04,430
‫And then where we can look at it,

99
00:03:04,430 --> 00:03:06,710
‫we can see that there are some inbound rules.

100
00:03:06,710 --> 00:03:08,420
‫So this is saying that all traffic

101
00:03:08,420 --> 00:03:11,110
‫on all ports on all from everywhere is allowed,

102
00:03:11,110 --> 00:03:13,560
‫effectively saying that anything can go through it.

103
00:03:13,560 --> 00:03:15,040
‫And you look at the outbound rules,

104
00:03:15,040 --> 00:03:17,030
‫yet again, it's allowing all traffic

105
00:03:17,030 --> 00:03:18,720
‫on all ports anywhere.

106
00:03:18,720 --> 00:03:20,800
‫So this is called the default Network ACL,

107
00:03:20,800 --> 00:03:22,550
‫because it allows everything in

108
00:03:22,550 --> 00:03:23,840
‫and everything out.

109
00:03:23,840 --> 00:03:24,710
‫But if we wanted to,

110
00:03:24,710 --> 00:03:26,080
‫we could create some rules,

111
00:03:26,080 --> 00:03:26,920
‫create a rule number,

112
00:03:26,920 --> 00:03:28,813
‫for example, rule number 200,

113
00:03:29,730 --> 00:03:31,290
‫and then you can define the type of traffic

114
00:03:31,290 --> 00:03:33,550
‫you want it to ALLOW, or DENY

115
00:03:33,550 --> 00:03:35,700
‫in and out of your subnet.

116
00:03:35,700 --> 00:03:37,410
‫Again, remember, Network ACL

117
00:03:37,410 --> 00:03:38,580
‫is at the subnet level.

118
00:03:38,580 --> 00:03:39,680
‫And we can see that,

119
00:03:39,680 --> 00:03:41,410
‫the default Network ACL,

120
00:03:41,410 --> 00:03:43,610
‫has been associated with my three subnets,

121
00:03:43,610 --> 00:03:46,050
‫which is what we would expect from a Network ACL.

122
00:03:46,050 --> 00:03:47,640
‫So that's it. I hope you liked it

123
00:03:47,640 --> 00:03:49,590
‫and I will see you in the next lecture.