1
00:00:06,640 --> 00:00:09,230
- Okay, so now let's take a look at a demo

2
00:00:09,230 --> 00:00:12,623
of creating and applying a
network access control list.

3
00:00:14,610 --> 00:00:17,970
Here in the VPC console,

4
00:00:17,970 --> 00:00:21,970
we have, we're taking
a look at the subnets

5
00:00:21,970 --> 00:00:23,500
that we created earlier.

6
00:00:23,500 --> 00:00:24,952
And these are the two subnets

7
00:00:24,952 --> 00:00:28,150
that belong to our web applications VPC.

8
00:00:28,150 --> 00:00:32,610
And earlier, we enabled
routing to the internet

9
00:00:32,610 --> 00:00:35,770
for our load balancing subnet.

10
00:00:35,770 --> 00:00:37,760
And again, if we take a
look at that route table,

11
00:00:37,760 --> 00:00:40,460
we'll see here that this is the subnet

12
00:00:40,460 --> 00:00:42,950
that is routed to the internet.

13
00:00:42,950 --> 00:00:46,170
And so we're going to
build on that by creating

14
00:00:46,170 --> 00:00:49,120
and applying a network
access control list,

15
00:00:49,120 --> 00:00:52,410
as a firewall for the subnet.

16
00:00:52,410 --> 00:00:57,230
So let's go down to, down
below here under security,

17
00:00:57,230 --> 00:00:59,930
and we'll take a look at
network access control lists.

18
00:01:00,790 --> 00:01:03,050
And you'll see that we do have one,

19
00:01:03,050 --> 00:01:05,597
and it is currently
associated with two subnets.

20
00:01:05,597 --> 00:01:08,090
And this one is the default

21
00:01:08,090 --> 00:01:10,693
network access control list, or NACL.

22
00:01:11,950 --> 00:01:13,750
And if we look at the inbound rules,

23
00:01:14,880 --> 00:01:16,900
you can see that it allows

24
00:01:16,900 --> 00:01:19,600
all traffic from everywhere, right?

25
00:01:19,600 --> 00:01:23,150
So we're allowing all
traffic on all protocols

26
00:01:23,150 --> 00:01:26,140
on all ports from everywhere.

27
00:01:26,140 --> 00:01:28,190
And if we look at the outbound rules,

28
00:01:28,190 --> 00:01:29,940
we will see the same thing.

29
00:01:29,940 --> 00:01:33,660
All traffic is allowed on
all protocols, all ports,

30
00:01:33,660 --> 00:01:36,480
from, going to anywhere,

31
00:01:36,480 --> 00:01:39,323
within our VPC.

32
00:01:41,100 --> 00:01:44,860
So we want to tighten
the security around that.

33
00:01:44,860 --> 00:01:47,320
And we're going to create

34
00:01:47,320 --> 00:01:51,200
a NACL specifically for
the load balancing subnet.

35
00:01:51,200 --> 00:01:54,390
Now there are different ways
that you could go about it.

36
00:01:54,390 --> 00:01:57,520
If you have network
engineers on your team,

37
00:01:57,520 --> 00:02:00,930
and they have a particular way
of doing things, that's fine.

38
00:02:00,930 --> 00:02:04,800
What I'm showing you is the
typical way that I go about

39
00:02:04,800 --> 00:02:07,860
applying security at the network level.

40
00:02:07,860 --> 00:02:10,290
So we're going to create a new one.

41
00:02:10,290 --> 00:02:14,782
And here, I'm going to call
this one public traffic.

42
00:02:14,782 --> 00:02:15,840
(keyboard clicking)

43
00:02:15,840 --> 00:02:18,563
Actually let's call it load
balancing public traffic,

44
00:02:20,210 --> 00:02:24,420
because we might end up
creating other public subnets

45
00:02:25,320 --> 00:02:26,520
for other purposes.

46
00:02:26,520 --> 00:02:29,010
We may create another public subnet

47
00:02:29,010 --> 00:02:31,090
specifically for Bastion hosts.

48
00:02:31,090 --> 00:02:33,430
And then that would get its own NACL

49
00:02:33,430 --> 00:02:36,340
to tailor the firewalls for those ports.

50
00:02:36,340 --> 00:02:39,690
And you may have another
public subnet specifically for

51
00:02:39,690 --> 00:02:43,140
proxies or some other purpose.

52
00:02:43,140 --> 00:02:46,450
But here, my approach,

53
00:02:46,450 --> 00:02:48,710
and it's not the approach
that you have to use,

54
00:02:48,710 --> 00:02:50,690
but my approach is to

55
00:02:50,690 --> 00:02:54,410
create a subnet for a functional purpose.

56
00:02:54,410 --> 00:02:57,410
And this particular
purpose is load balancing.

57
00:02:57,410 --> 00:03:00,090
And then of course we will choose the VPC,

58
00:03:00,090 --> 00:03:02,870
and that one we'll go web apps.

59
00:03:02,870 --> 00:03:05,370
We'll go ahead and
create that network ACL.

60
00:03:05,370 --> 00:03:08,170
And here, you can see that

61
00:03:08,170 --> 00:03:11,130
it is currently not
associated with any subnets,

62
00:03:11,130 --> 00:03:13,740
but we will do that here momentarily.

63
00:03:13,740 --> 00:03:16,470
Let's first take a look at the rules.

64
00:03:16,470 --> 00:03:20,670
You'll notice here that the
only rules we have so far

65
00:03:20,670 --> 00:03:23,350
is the only, the deny rule.

66
00:03:23,350 --> 00:03:25,700
So creating a new

67
00:03:25,700 --> 00:03:29,070
NACL is completely closed by default,

68
00:03:29,070 --> 00:03:31,640
both inbound and outbound.

69
00:03:31,640 --> 00:03:35,010
It's only the default NACL that allows

70
00:03:35,010 --> 00:03:36,960
all inbound and all outbound.

71
00:03:36,960 --> 00:03:39,030
So the default NACL

72
00:03:39,030 --> 00:03:43,395
you could think of as
being insecure, by default.

73
00:03:43,395 --> 00:03:46,290
And Amazon does that
because they realize that

74
00:03:46,290 --> 00:03:51,290
a lot of users of VPC are
perhaps not at a level where they

75
00:03:51,510 --> 00:03:55,780
understand enough to go and
make modifications to the NACL,

76
00:03:55,780 --> 00:03:58,980
where they can more easily
make those modifications

77
00:03:58,980 --> 00:04:00,020
at the security group.

78
00:04:00,020 --> 00:04:02,230
But Amazon does recommend

79
00:04:02,230 --> 00:04:05,600
that we make use of NACLs
and security groups.

80
00:04:05,600 --> 00:04:07,850
And so it just takes a
little more education.

81
00:04:07,850 --> 00:04:11,130
So for our load balancing,
inbound rules are really easy.

82
00:04:11,130 --> 00:04:14,440
If we think about what our
load balancer is doing,

83
00:04:14,440 --> 00:04:17,240
what ports really need to be open,

84
00:04:17,240 --> 00:04:19,900
inbound, from the internet?

85
00:04:19,900 --> 00:04:23,390
So if we remember what
we talked about earlier,

86
00:04:23,390 --> 00:04:27,330
then, for our load balancer,

87
00:04:27,330 --> 00:04:29,630
receiving traffic from the internet,

88
00:04:29,630 --> 00:04:34,630
we really are only receiving
on port 80 and 443.

89
00:04:35,376 --> 00:04:38,720
But our load balancer,
unless you're doing something

90
00:04:38,720 --> 00:04:41,720
with some other kind of proxy or whatever,

91
00:04:41,720 --> 00:04:45,070
the load, for web applications,

92
00:04:45,070 --> 00:04:47,850
the load balancer really has no business,

93
00:04:47,850 --> 00:04:51,230
it has no real need to listen
on any other port, right?

94
00:04:51,230 --> 00:04:53,736
If you're doing traditional
web applications,

95
00:04:53,736 --> 00:04:56,140
where your client is expecting

96
00:04:56,140 --> 00:04:58,990
to be able to connect on port 80 and 443,

97
00:04:58,990 --> 00:05:01,100
then that's what our load
balancer will listen on.

98
00:05:01,100 --> 00:05:03,370
It doesn't need to listen on port 22.

99
00:05:03,370 --> 00:05:06,030
So we don't need port 22 to be open.

100
00:05:06,030 --> 00:05:08,690
It's not going to listen on port 3306,

101
00:05:08,690 --> 00:05:11,230
so we don't need that
port to be open, right?

102
00:05:11,230 --> 00:05:14,920
And so, we're going to say,
let's start with rule 100.

103
00:05:14,920 --> 00:05:18,180
And rules are evaluated in order,

104
00:05:18,180 --> 00:05:19,720
starting from the lowest rule.

105
00:05:19,720 --> 00:05:22,080
So you can always override a previous rule

106
00:05:22,080 --> 00:05:24,970
by creating a new rule at a higher level.

107
00:05:24,970 --> 00:05:28,820
So we're going to say,
we're going to listen on

108
00:05:28,820 --> 00:05:33,820
http, and we can scroll down
here, http, from everywhere.

109
00:05:34,240 --> 00:05:37,030
We want to be open to the entire internet,

110
00:05:37,030 --> 00:05:40,410
if we are offering some
type of a web application

111
00:05:40,410 --> 00:05:42,170
available to the public at large.

112
00:05:42,170 --> 00:05:44,620
And then we could add rule 110.

113
00:05:44,620 --> 00:05:48,550
And the reason that I go to
110 is so that I have room

114
00:05:48,550 --> 00:05:51,250
to place other sort of custom rules

115
00:05:51,250 --> 00:05:54,510
between rule 100 and
110, in order to make,

116
00:05:54,510 --> 00:05:57,170
if I need to make any
kind of modifications

117
00:05:57,170 --> 00:05:58,840
to block certain traffic.

118
00:05:58,840 --> 00:06:03,263
And so there, we're going to
go down here and choose https.

119
00:06:04,220 --> 00:06:07,580
Again, coming from anywhere.

120
00:06:07,580 --> 00:06:10,200
So we're allowing port 80 and 443

121
00:06:10,200 --> 00:06:14,600
to come inbound from
anywhere on the internet.

122
00:06:14,600 --> 00:06:16,060
We'll go ahead and save that.

123
00:06:16,060 --> 00:06:19,080
And so now you can see,
if we follow these rules,

124
00:06:19,080 --> 00:06:21,710
the first rule says that we
allow port 80 from anywhere,

125
00:06:21,710 --> 00:06:23,730
TCP, not UDP,

126
00:06:23,730 --> 00:06:25,520
not ICMP,

127
00:06:25,520 --> 00:06:27,490
but TCP port 80,

128
00:06:27,490 --> 00:06:29,490
TCP port 443.

129
00:06:29,490 --> 00:06:34,040
And then the fallback
rule here, this asterisk,

130
00:06:34,040 --> 00:06:37,380
if you were to look under the hood,

131
00:06:37,380 --> 00:06:40,870
then the number for that
would be 32768, right?

132
00:06:40,870 --> 00:06:42,930
So that's as high as they go.

133
00:06:42,930 --> 00:06:44,430
And so that just means

134
00:06:44,430 --> 00:06:47,310
if it didn't match one of these two rules,

135
00:06:47,310 --> 00:06:50,760
then, everything else is denied, right?

136
00:06:50,760 --> 00:06:54,743
So that means port 22,
port 3306, port 3389, 5432,

137
00:06:56,480 --> 00:07:01,210
port 21, all of these things
will be automatically denied.

138
00:07:01,210 --> 00:07:04,450
So we've already closed
the surface attack area.

139
00:07:04,450 --> 00:07:07,560
And then of course, now we
need to open outbound rules.

140
00:07:07,560 --> 00:07:10,343
With NACLs, if we don't have any,

141
00:07:11,470 --> 00:07:15,680
because NACLs are stateless,
they don't recognize

142
00:07:15,680 --> 00:07:20,080
responses as being
responses, then we have to

143
00:07:21,060 --> 00:07:23,630
explicitly open outbound rules.

144
00:07:23,630 --> 00:07:25,970
So we'll go ahead and
edit the outbound rules.

145
00:07:25,970 --> 00:07:28,550
And if you remember what
we talked about earlier,

146
00:07:28,550 --> 00:07:31,810
in a previous discussion,

147
00:07:31,810 --> 00:07:34,830
the load balancer will receive a request

148
00:07:34,830 --> 00:07:37,550
on say port 80 or 443,

149
00:07:37,550 --> 00:07:40,870
and then it will send a response back

150
00:07:40,870 --> 00:07:43,060
on what we call an ephemeral port.

151
00:07:43,060 --> 00:07:46,220
And if you read the documentation

152
00:07:46,220 --> 00:07:49,310
on load balancers, elastic load balancers,

153
00:07:49,310 --> 00:07:52,150
the load balance, the
documentation will tell you

154
00:07:52,150 --> 00:07:55,210
that the ephemeral range for that,

155
00:07:55,210 --> 00:07:56,950
for the load balancer is

156
00:07:58,030 --> 00:08:01,620
1024 through 65535.

157
00:08:01,620 --> 00:08:05,260
Now for anyone who may have
a background in networking,

158
00:08:05,260 --> 00:08:08,100
and understand a bit more
about ephemeral ports,

159
00:08:08,100 --> 00:08:11,710
then you will know that
there are different ranges

160
00:08:11,710 --> 00:08:15,223
for different, and there are
different standard ranges,

161
00:08:16,190 --> 00:08:19,190
depending on what operating
system that you're using, right?

162
00:08:19,190 --> 00:08:21,040
Windows may have a particular range,

163
00:08:21,040 --> 00:08:22,890
Ubuntu might have a particular range,

164
00:08:23,870 --> 00:08:26,090
but none of that applies here.

165
00:08:26,090 --> 00:08:29,300
The load balancer itself
has its own range.

166
00:08:29,300 --> 00:08:32,520
And it will send those responses out

167
00:08:32,520 --> 00:08:37,370
on any one of these
ports, 1024 through 65535.

168
00:08:37,370 --> 00:08:40,950
And I suspect that Amazon opens
such a wide range of ports

169
00:08:40,950 --> 00:08:43,980
mainly to give the load
balancer the ability to open

170
00:08:44,910 --> 00:08:47,520
a larger number of
simultaneous connections.

171
00:08:47,520 --> 00:08:50,420
And so we are allowing outbound

172
00:08:50,420 --> 00:08:54,670
TCP traffic on any of
these ephemeral ports

173
00:08:54,670 --> 00:08:57,230
to anywhere on the internet.

174
00:08:57,230 --> 00:08:58,940
And we'll go ahead and save that.

175
00:08:58,940 --> 00:09:01,890
And so, this destination here,

176
00:09:01,890 --> 00:09:06,380
all zeroes, means all IP addresses,

177
00:09:06,380 --> 00:09:11,380
including the 10.000, which
is the range of our VPC.

178
00:09:11,580 --> 00:09:15,220
So this rule actually
satisfies two things.

179
00:09:15,220 --> 00:09:18,070
It satisfies the need
for the load balancer

180
00:09:18,070 --> 00:09:21,610
to send responses back to our end user,

181
00:09:21,610 --> 00:09:25,150
and it also satisfies the
need for our load balancer

182
00:09:25,150 --> 00:09:30,020
to initiate connections
to our backend instances.

183
00:09:30,020 --> 00:09:32,890
And so if you remember what
we talked about earlier,

184
00:09:32,890 --> 00:09:35,840
a common pattern is to
have your backend instance

185
00:09:35,840 --> 00:09:37,920
listen on a non-privileged port,

186
00:09:37,920 --> 00:09:41,380
which is anything above 1023, right?

187
00:09:41,380 --> 00:09:46,200
So anything below 1024 would
be considered a privileged port

188
00:09:46,200 --> 00:09:49,740
that would require root-level
access to open, right?

189
00:09:49,740 --> 00:09:52,850
So a common pattern is to
have applications listen

190
00:09:52,850 --> 00:09:57,230
on say port 8080, or
port 3,000 or whatever,

191
00:09:57,230 --> 00:10:00,850
and so, by doing that, this one rule

192
00:10:00,850 --> 00:10:02,870
satisfies both of those needs.

193
00:10:02,870 --> 00:10:04,410
And so now we've opened

194
00:10:04,410 --> 00:10:06,380
just the ports that need to be opened

195
00:10:06,380 --> 00:10:08,560
on the load balancing subnet.

196
00:10:08,560 --> 00:10:11,080
So we'll go to subnet associations.

197
00:10:11,080 --> 00:10:14,360
This is the last very
important critical step

198
00:10:14,360 --> 00:10:18,750
in enabling the protection of this NACL.

199
00:10:18,750 --> 00:10:22,253
Right now that particular
subnet has no protection.

200
00:10:23,210 --> 00:10:24,330
So let's go ahead and do that.

201
00:10:24,330 --> 00:10:26,580
And we're going to choose this one here,

202
00:10:26,580 --> 00:10:30,100
the load balancing subnet.

203
00:10:30,100 --> 00:10:31,673
We'll go ahead and choose that.

204
00:10:34,080 --> 00:10:35,250
And there you go.

205
00:10:35,250 --> 00:10:38,085
And so now, if we were
to, we could go back

206
00:10:38,085 --> 00:10:41,720
and verify that from the
subnet's perspective.

207
00:10:41,720 --> 00:10:44,300
If we go back to our subnets,

208
00:10:44,300 --> 00:10:47,030
and we click on load balancing-a,

209
00:10:47,030 --> 00:10:50,520
and then take a look at the
network access control list,

210
00:10:50,520 --> 00:10:55,520
we can see that the subnet does
recognize that network ACL,

211
00:10:56,120 --> 00:10:59,620
and that we're allowing
port 80 and 443 inbound,

212
00:10:59,620 --> 00:11:01,660
from anywhere,

213
00:11:01,660 --> 00:11:02,550
we're allowing

214
00:11:03,710 --> 00:11:07,860
ports 1024 through 655, from anywhere,

215
00:11:07,860 --> 00:11:08,810
outbound, right?

216
00:11:08,810 --> 00:11:12,830
So we can send responses
and we can make connections.

217
00:11:12,830 --> 00:11:15,090
But we forgot one thing, right?

218
00:11:15,090 --> 00:11:17,670
For those of us who might
be familiar with networking,

219
00:11:17,670 --> 00:11:20,370
you probably recognize
that we're missing one

220
00:11:20,370 --> 00:11:22,090
here in our inbound

221
00:11:24,490 --> 00:11:26,120
rules.

222
00:11:26,120 --> 00:11:29,230
So if you remember what
we talked about earlier,

223
00:11:29,230 --> 00:11:32,473
if our load balancer is sending,

224
00:11:34,410 --> 00:11:36,910
initiating connections
to our backend instance

225
00:11:36,910 --> 00:11:40,550
on say port 8080, our backend instance

226
00:11:40,550 --> 00:11:43,890
will return a response

227
00:11:43,890 --> 00:11:46,490
on an ephemeral port, right?

228
00:11:46,490 --> 00:11:48,160
And so what that means

229
00:11:49,160 --> 00:11:51,900
is that our load balancing network ACL

230
00:11:51,900 --> 00:11:55,730
needs to allow those ephemeral
ports inbound as well,

231
00:11:55,730 --> 00:11:59,200
but only from the VPC,
not from the internet,

232
00:11:59,200 --> 00:12:01,330
but only from within the VPC.

233
00:12:01,330 --> 00:12:03,820
Let's go back to that network ACL,

234
00:12:03,820 --> 00:12:06,160
and click on inbound rules, right?

235
00:12:06,160 --> 00:12:08,110
So again, just to clarify that,

236
00:12:08,110 --> 00:12:10,683
make sure that we understand
what's happening here,

237
00:12:11,630 --> 00:12:14,220
because of this outbound rule,

238
00:12:14,220 --> 00:12:17,640
the load balancer can
initiate a new connection

239
00:12:18,860 --> 00:12:23,670
to our backend instances on
say port 8080 or port 3,000,

240
00:12:23,670 --> 00:12:25,760
whatever non-privileged port

241
00:12:25,760 --> 00:12:29,260
your applications happen to be running on.

242
00:12:29,260 --> 00:12:33,650
And again, our backend
instance will send a response

243
00:12:33,650 --> 00:12:37,150
back to the load balancer
on an ephemeral port.

244
00:12:37,150 --> 00:12:38,970
And so we need to open those, right?

245
00:12:38,970 --> 00:12:41,250
So let's go ahead and edit the
inbound rules one more time.

246
00:12:41,250 --> 00:12:46,250
We're going to add rule
number 120, TCP, ports 1024

247
00:12:46,310 --> 00:12:48,610
through 65535.

248
00:12:48,610 --> 00:12:51,380
Now, in this particular case,

249
00:12:51,380 --> 00:12:55,230
your application on that
particular operating system

250
00:12:55,230 --> 00:12:58,160
would determine the
range of ephemeral ports.

251
00:12:58,160 --> 00:13:01,440
So that range could be
much smaller than this.

252
00:13:01,440 --> 00:13:04,680
If you're using, depending
on whether you're using

253
00:13:04,680 --> 00:13:07,380
Ubuntu or Debian or Windows or whatever,

254
00:13:07,380 --> 00:13:09,340
there could be a different range.

255
00:13:09,340 --> 00:13:11,310
And so, it could be a range like

256
00:13:11,310 --> 00:13:14,602
32768 through 60,000, right?

257
00:13:14,602 --> 00:13:17,340
I would point you to the documentation

258
00:13:17,340 --> 00:13:19,343
for that particular operating system.

259
00:13:20,570 --> 00:13:23,050
But as a general rule of thumb,

260
00:13:23,050 --> 00:13:27,070
we could assume that 1024 through 65535

261
00:13:27,070 --> 00:13:30,990
are valid ephemeral ports, right?

262
00:13:30,990 --> 00:13:33,540
And so, here we don't want these

263
00:13:33,540 --> 00:13:35,420
to be open from the internet.

264
00:13:35,420 --> 00:13:37,800
We only expect this

265
00:13:37,800 --> 00:13:40,480
to receive inbound

266
00:13:40,480 --> 00:13:41,920
from our VPC,

267
00:13:41,920 --> 00:13:45,290
because the only ephemeral ports
that we should be receiving

268
00:13:45,290 --> 00:13:48,160
are coming from our backend instances,

269
00:13:48,160 --> 00:13:50,740
which are inside our VPC.

270
00:13:50,740 --> 00:13:52,910
And so, we will

271
00:13:52,910 --> 00:13:57,320
put 10.000/16.

272
00:13:57,320 --> 00:13:59,330
So what we're saying is,

273
00:13:59,330 --> 00:14:02,160
ports, these ephemeral ports are allowed

274
00:14:02,160 --> 00:14:06,070
to come into, inbound, into the subnet,

275
00:14:06,070 --> 00:14:10,470
only if they originated
from within the VPC.

276
00:14:10,470 --> 00:14:13,750
So if somebody out there on
the internet tries to get in

277
00:14:13,750 --> 00:14:16,030
on one of these ephemeral ports,

278
00:14:16,030 --> 00:14:18,830
those packets will be rejected, all right?

279
00:14:18,830 --> 00:14:20,430
So we'll go ahead and save that.

280
00:14:21,960 --> 00:14:24,840
All right, so again let's
go back to the subnet,

281
00:14:24,840 --> 00:14:27,290
and take a look at our
load balancing subnet,

282
00:14:27,290 --> 00:14:30,550
go to our network ACL, and here we go.

283
00:14:30,550 --> 00:14:35,170
You can see that we have 80
and 443 from the internet,

284
00:14:35,170 --> 00:14:39,690
ephemeral ports coming in from the VPC,

285
00:14:39,690 --> 00:14:42,210
meaning our backend instances,

286
00:14:42,210 --> 00:14:45,650
and down here we have ephemeral ports

287
00:14:45,650 --> 00:14:48,300
going outbound to anywhere,

288
00:14:48,300 --> 00:14:51,593
which means the internet and our VPC.

289
00:14:52,670 --> 00:14:55,910
All zeroes mean every IP address,

290
00:14:55,910 --> 00:14:58,180
including our VPC, all right?

291
00:14:58,180 --> 00:15:01,750
So that's how we can create and apply

292
00:15:01,750 --> 00:15:06,463
a network access control list,
as a firewall for a subnet.