Security is at the forefront of AWS. AWS is designed to provide the utmost security to its clients. Security on AWS is a shared responsibility between the client and AWS. AWS secures the physical systems, networking, and hypervisors on which the EC2 instances run. The AWS client takes responsibility for their operating systems, applications, and data.
When looking at this architecture, we will look at some networking aspects of AWS. These are:
Virtual Private Clouds (VPCs)
Virtual Private Clouds, or VPCs, are logically isolated virtual networks. A VPC exists in a region, and each subnet exists within an availability zone of that region. The resources created in a VPC are configured within the VPC’s network range.
VPCs have ‘virtual firewalls', known as Network Access Control Lists (NACL), that are stateless. Stateless means that NACLs do not have a ‘memory’ and would check the check packets against the set rules on their way into and out of the subnet.
By default, NACLs allow all inbound and outbound traffic.
Subnets
Subnets can be public or private. Public subnets are public-facing and accessible to the public, while private subnets are not. Public subnets are associated with public route tables connected to an Internet gateway, while private subnets are associated with private route tables connected to NAT Gateways. By default, subnets are associated with the main route table that was created when the VPC was created.
EC2 instances
EC2 instances are virtual machines. EC2 instances have "virtual firewalls," known as security groups. Security groups are stateful, which means they have ‘memory’ and would remember the rules applied to a packet that was on its way in or out of the EC2. This means that inbound and outbound traffic are independent of each other.
By default, security groups deny all inbound traffic and allow all outbound traffic.
Conclusion
Network Access Control Lists and Security Groups work to create a secure system. Packets transferred between instances will be evaluated against the security groups, while packets moving from one VPC to another are evaluated against the security groups and the NACLs. You must configure these resources to allow only the traffic that should be allowed in and out.