1 00:00:00,140 --> 00:00:02,500 ‫Let's talk about these firewalls 2 00:00:02,500 --> 00:00:04,520 ‫around our EC2 instances. 3 00:00:04,520 --> 00:00:06,950 ‫So we briefly configured one in the previous lecture 4 00:00:06,950 --> 00:00:10,250 ‫but security groups yet again, are going to be fundamental 5 00:00:10,250 --> 00:00:14,690 ‫into doing network security in the AWS cloud. 6 00:00:14,690 --> 00:00:16,970 ‫They will control how the traffic is allowed 7 00:00:16,970 --> 00:00:20,600 ‫into and out of your EC2 instances. 8 00:00:20,600 --> 00:00:22,210 ‫Security groups are going to be very easy, 9 00:00:22,210 --> 00:00:23,880 ‫they only contain allow rules, 10 00:00:23,880 --> 00:00:27,080 ‫so we can say what is allowed to go in and to go out, 11 00:00:27,080 --> 00:00:28,630 ‫and security groups can have rules 12 00:00:28,630 --> 00:00:30,690 ‫that reference either by IP addresses, 13 00:00:30,690 --> 00:00:33,280 ‫so, where your computer is from 14 00:00:33,280 --> 00:00:34,790 ‫or by other security groups, 15 00:00:34,790 --> 00:00:37,930 ‫so as we'll see, security groups can reference each other. 16 00:00:37,930 --> 00:00:39,940 ‫So here, let's take an example, 17 00:00:39,940 --> 00:00:43,340 ‫we are on our computer, so we are on the public internet 18 00:00:43,340 --> 00:00:45,910 ‫and we're trying to access our EC2 instance 19 00:00:45,910 --> 00:00:47,550 ‫from our computer. 20 00:00:47,550 --> 00:00:49,660 ‫We are going to create a security group 21 00:00:49,660 --> 00:00:51,510 ‫around our EC2 instance, 22 00:00:51,510 --> 00:00:53,500 ‫that is the firewall that is around it 23 00:00:53,500 --> 00:00:56,360 ‫and then this security group is going to have rules. 24 00:00:56,360 --> 00:00:57,980 ‫And these rules are going to say 25 00:00:57,980 --> 00:01:00,230 ‫whether or not some inbound traffic, 26 00:01:00,230 --> 00:01:04,730 ‫so from the outside into the EC2 instance is allowed, 27 00:01:04,730 --> 00:01:06,680 ‫and also if the EC2 instance 28 00:01:06,680 --> 00:01:08,530 ‫can perform some outbound traffic. 29 00:01:08,530 --> 00:01:12,690 ‫So to talk from where it is into the internet. 30 00:01:12,690 --> 00:01:14,180 ‫Now let's do a deeper dive, right? 31 00:01:14,180 --> 00:01:17,340 ‫Security groups are a firewall on our EC2 instances 32 00:01:17,340 --> 00:01:20,230 ‫and they're going to regulate access to ports. 33 00:01:20,230 --> 00:01:23,420 ‫They're going to see the authorized IP ranges. 34 00:01:23,420 --> 00:01:24,967 ‫Would it be on IPv4 or IPv6? 35 00:01:24,967 --> 00:01:28,380 ‫These are the two kinds of IP on the internet, 36 00:01:28,380 --> 00:01:30,580 ‫and this is going to control the inbound network. 37 00:01:30,580 --> 00:01:33,170 ‫So from the outside to the instance 38 00:01:33,170 --> 00:01:36,900 ‫and the other network from the instance to the outside, 39 00:01:36,900 --> 00:01:39,450 ‫and when we look at security group rules, 40 00:01:39,450 --> 00:01:40,820 ‫they will look just like this. 41 00:01:40,820 --> 00:01:43,470 ‫So they will be the type, the protocol, 42 00:01:43,470 --> 00:01:45,560 ‫so TCP, the port allowing it, 43 00:01:45,560 --> 00:01:48,610 ‫so where the traffic can go through on the instance 44 00:01:48,610 --> 00:01:51,900 ‫and the source which represents an IP address range 45 00:01:51,900 --> 00:01:55,010 ‫and 0.0 0.0/0 means everything 46 00:01:55,010 --> 00:01:57,610 ‫and this here means just one IP. 47 00:01:57,610 --> 00:01:59,680 ‫So you're not expected to know 48 00:01:59,680 --> 00:02:01,590 ‫how to properly configure a security group 49 00:02:01,590 --> 00:02:03,760 ‫for the (indistinct) exam, but they're so important, 50 00:02:03,760 --> 00:02:05,370 ‫so I wanna talk about them. 51 00:02:05,370 --> 00:02:07,010 ‫Now, let's look at the diagram, right? 52 00:02:07,010 --> 00:02:08,940 ‫So we have our EC2 instance 53 00:02:08,940 --> 00:02:12,640 ‫and it has one security group allow attached to it 54 00:02:12,640 --> 00:02:14,220 ‫that has inbound rules and outbound rules. 55 00:02:14,220 --> 00:02:16,330 ‫So I've separated them onto this diagram. 56 00:02:16,330 --> 00:02:20,420 ‫So our computer is going to be authorized on say port 22. 57 00:02:20,420 --> 00:02:22,950 ‫So the traffic can go through from our computer 58 00:02:22,950 --> 00:02:24,720 ‫to the EC2 instance, 59 00:02:24,720 --> 00:02:27,930 ‫but someone else's computer, that's not using my IP address 60 00:02:27,930 --> 00:02:29,760 ‫because they don't live where I live, 61 00:02:29,760 --> 00:02:33,240 ‫then if they're trying to access our EC2 instance 62 00:02:33,240 --> 00:02:34,700 ‫they will not get through it 63 00:02:34,700 --> 00:02:37,100 ‫because the firewall is going to block it 64 00:02:37,100 --> 00:02:39,610 ‫and it will be a timeout. 65 00:02:39,610 --> 00:02:42,700 ‫Then for the outbound rules by default, 66 00:02:42,700 --> 00:02:45,310 ‫our EC2 instance for any security group 67 00:02:45,310 --> 00:02:49,030 ‫is going to be by default allowing any traffic out of it. 68 00:02:49,030 --> 00:02:50,300 ‫So our EC2 instance, 69 00:02:50,300 --> 00:02:53,720 ‫if it tries to access a website and initiate a connection 70 00:02:53,720 --> 00:02:56,710 ‫it is going to be allowed by the security group. 71 00:02:56,710 --> 00:02:59,930 ‫So this is the basics of how the firewall works. 72 00:02:59,930 --> 00:03:00,790 ‫Now good to know, 73 00:03:00,790 --> 00:03:02,630 ‫what do you need to know with security groups? 74 00:03:02,630 --> 00:03:04,780 ‫Well, they can be attached to multiple instances, okay? 75 00:03:04,780 --> 00:03:06,570 ‫There's not a one to one relationship 76 00:03:06,570 --> 00:03:08,930 ‫between security group and instances 77 00:03:08,930 --> 00:03:10,490 ‫and actually an instance 78 00:03:10,490 --> 00:03:13,030 ‫can have multiple security groups too. 79 00:03:13,030 --> 00:03:15,125 ‫Security groups are locked down to a region 80 00:03:15,125 --> 00:03:17,370 ‫/VPC combination, okay? 81 00:03:17,370 --> 00:03:18,860 ‫So if you switch to another region, 82 00:03:18,860 --> 00:03:20,040 ‫you have to create a new security group 83 00:03:20,040 --> 00:03:22,040 ‫or if you create another VPC 84 00:03:22,040 --> 00:03:24,810 ‫and we'll see what VPCs are in the like later lecture, 85 00:03:24,810 --> 00:03:27,040 ‫well, you have to recreate the security groups. 86 00:03:27,040 --> 00:03:29,380 ‫The security groups live outside the EC2. 87 00:03:29,380 --> 00:03:31,270 ‫So as I said, if the traffic is blocked 88 00:03:31,270 --> 00:03:33,160 ‫the EC2 instance won't even see it. 89 00:03:33,160 --> 00:03:35,900 ‫Okay, it's not like an application running on EC2 90 00:03:35,900 --> 00:03:39,140 ‫it's really a firewall outside your EC2 instance. 91 00:03:39,140 --> 00:03:41,100 ‫To be honest, and that's just an advice to you 92 00:03:41,100 --> 00:03:42,730 ‫from developer to developer 93 00:03:42,730 --> 00:03:45,210 ‫but it's good to maintain one separate security group 94 00:03:45,210 --> 00:03:46,720 ‫just for SSH access, 95 00:03:46,720 --> 00:03:49,010 ‫usually SSH access is the most complicated thing 96 00:03:49,010 --> 00:03:51,650 ‫and you really wanna make sure that one is done correctly. 97 00:03:51,650 --> 00:03:53,880 ‫So I usually separate my security group 98 00:03:53,880 --> 00:03:55,283 ‫for SSH access separately. 99 00:03:56,160 --> 00:03:58,660 ‫If your application is not accessible, so timeout, 100 00:03:58,660 --> 00:04:00,350 ‫so we saw this in the last lecture, 101 00:04:00,350 --> 00:04:01,830 ‫then it is a security group issue. 102 00:04:01,830 --> 00:04:03,890 ‫Okay, so if you try to connect to any port 103 00:04:03,890 --> 00:04:06,311 ‫and you computer just hangs and waits and waits 104 00:04:06,311 --> 00:04:08,910 ‫that's probably a security group issue, 105 00:04:08,910 --> 00:04:11,830 ‫but if you receive a connection refused error, 106 00:04:11,830 --> 00:04:14,930 ‫okay, you actually get a response and connection refused, 107 00:04:14,930 --> 00:04:17,030 ‫then the security group actually worked, 108 00:04:17,030 --> 00:04:19,830 ‫the traffic went through and the application was errored 109 00:04:19,830 --> 00:04:21,930 ‫or it wasn't launched or something like this. 110 00:04:21,930 --> 00:04:22,930 ‫So this is what you would get 111 00:04:22,930 --> 00:04:24,800 ‫if you get a connection refused. 112 00:04:24,800 --> 00:04:27,350 ‫By default, all inbound traffic is blocked 113 00:04:27,350 --> 00:04:30,830 ‫and all outbound traffic is authorized, okay? 114 00:04:30,830 --> 00:04:32,650 ‫Now there is a small advanced feature 115 00:04:32,650 --> 00:04:34,910 ‫that I really, really like, and I think it's perfect 116 00:04:34,910 --> 00:04:36,390 ‫if you start using load balancers 117 00:04:36,390 --> 00:04:38,150 ‫and we'll see this in the next lecture as well, 118 00:04:38,150 --> 00:04:40,440 ‫which is how to reference security groups 119 00:04:40,440 --> 00:04:41,860 ‫from other security groups. 120 00:04:41,860 --> 00:04:43,600 ‫So let me explain things. 121 00:04:43,600 --> 00:04:46,230 ‫So we have an EC2 instance, and it has a security group, 122 00:04:46,230 --> 00:04:48,509 ‫what I call group number one, 123 00:04:48,509 --> 00:04:50,950 ‫and the inbound rules is basically saying, 124 00:04:50,950 --> 00:04:53,530 ‫I'm authorizing security group number one inbound 125 00:04:53,530 --> 00:04:55,390 ‫and security group number two. 126 00:04:55,390 --> 00:04:57,130 ‫So, why would we even do this? 127 00:04:57,130 --> 00:04:59,670 ‫Well, if we launch another EC2 instance 128 00:04:59,670 --> 00:05:02,920 ‫and it has security group two attached to it, 129 00:05:02,920 --> 00:05:04,830 ‫well, by using the security group (indistinct) rule 130 00:05:04,830 --> 00:05:05,890 ‫that we just set up, 131 00:05:05,890 --> 00:05:08,640 ‫we basically allow our EC2 instance 132 00:05:08,640 --> 00:05:11,550 ‫to go connect straight through on the port we decided 133 00:05:11,550 --> 00:05:13,980 ‫onto our first EC2 instance. 134 00:05:13,980 --> 00:05:16,650 ‫Similarly, if we have another EC2 instance 135 00:05:16,650 --> 00:05:18,530 ‫with a security group one attached, 136 00:05:18,530 --> 00:05:20,540 ‫while we've also authorized this one 137 00:05:20,540 --> 00:05:23,160 ‫to communicate straight back to our instances. 138 00:05:23,160 --> 00:05:26,030 ‫And so regardless of the IP of our EC2 instances 139 00:05:26,030 --> 00:05:28,840 ‫because they have the right security group attached to them 140 00:05:28,840 --> 00:05:30,820 ‫they're able to communicate straight through 141 00:05:30,820 --> 00:05:32,150 ‫to other instances. 142 00:05:32,150 --> 00:05:34,680 ‫And that's awesome because it doesn't make you think 143 00:05:34,680 --> 00:05:36,210 ‫about IPs all the time. 144 00:05:36,210 --> 00:05:37,680 ‫And if you have another EC2 instance 145 00:05:37,680 --> 00:05:40,380 ‫maybe with security group number three attached to it, 146 00:05:40,380 --> 00:05:41,760 ‫well, because it group number three 147 00:05:41,760 --> 00:05:43,970 ‫wasn't authorized in the inbound rules 148 00:05:43,970 --> 00:05:45,430 ‫of security group number one, 149 00:05:45,430 --> 00:05:48,130 ‫then it's being denied and things don't work. 150 00:05:48,130 --> 00:05:49,850 ‫So that's a bit of an advanced feature 151 00:05:49,850 --> 00:05:51,910 ‫but we'll see it when we'll deal load balancers 152 00:05:51,910 --> 00:05:53,640 ‫'cause it's quite a common pattern. 153 00:05:53,640 --> 00:05:54,660 ‫I just want you to know about it, 154 00:05:54,660 --> 00:05:56,390 ‫again just remember this diagram 155 00:05:56,390 --> 00:05:58,460 ‫and by now you should be really, really good 156 00:05:58,460 --> 00:06:00,720 ‫at security groups and understand them correctly. 157 00:06:00,720 --> 00:06:04,470 ‫Now going into the exam, what ports you need to know? 158 00:06:04,470 --> 00:06:07,220 ‫Well, we need to know something called SSH 159 00:06:07,220 --> 00:06:08,710 ‫or Secure Shell and we're going to see this 160 00:06:08,710 --> 00:06:10,320 ‫in the very next lectures. 161 00:06:10,320 --> 00:06:11,570 ‫This is the port 22. 162 00:06:11,570 --> 00:06:16,570 ‫And this allows you to login to an EC2 instance on Linux. 163 00:06:16,680 --> 00:06:20,590 ‫You have port 21 for FTP or File Transfer Protocol 164 00:06:20,590 --> 00:06:24,370 ‫which is used to upload files into a file share. 165 00:06:24,370 --> 00:06:28,080 ‫And you have SFTP, which is also using port 22, why? 166 00:06:28,080 --> 00:06:30,000 ‫Well, because we're going to upload file 167 00:06:30,000 --> 00:06:31,610 ‫but this time using SSH 168 00:06:31,610 --> 00:06:34,970 ‫because it's going to be a Secure File Transfer Protocol. 169 00:06:34,970 --> 00:06:37,970 ‫Then we have port 80 for HTTP 170 00:06:37,970 --> 00:06:39,880 ‫and we've been using it in the previous lecture. 171 00:06:39,880 --> 00:06:43,120 ‫This is to access unsecured websites. 172 00:06:43,120 --> 00:06:44,990 ‫And you've seen this whenever you go on the internet 173 00:06:44,990 --> 00:06:49,990 ‫and you enter HTTP:// and then the address of the website. 174 00:06:50,200 --> 00:06:53,210 ‫And you've seen it most likely a lot more like this, 175 00:06:53,210 --> 00:06:56,650 ‫you've seen HTTPS, which is to access secured websites 176 00:06:56,650 --> 00:06:58,470 ‫which are the standard nowadays. 177 00:06:58,470 --> 00:07:01,760 ‫And for HTTPS, it is port 443. 178 00:07:01,760 --> 00:07:04,170 ‫Finally, the last port you need to remember 179 00:07:04,170 --> 00:07:09,170 ‫is 3389 for RDP, or the Remote Desktop Protocol 180 00:07:09,240 --> 00:07:11,120 ‫which is the port that's used 181 00:07:11,120 --> 00:07:13,610 ‫to log into a windows instance, okay? 182 00:07:13,610 --> 00:07:16,850 ‫So 22 is SSH for Linux instance 183 00:07:16,850 --> 00:07:21,170 ‫but 3389 is RDP for a windows instance. 184 00:07:21,170 --> 00:07:23,430 ‫Now this is all the theory about security groups. 185 00:07:23,430 --> 00:07:26,080 ‫I will see you in the next lecture for some practice.