1
00:00:06,814 --> 00:00:07,647
- Now let's take a look

2
00:00:07,647 --> 00:00:10,165
at network access control lists,

3
00:00:10,165 --> 00:00:12,248
otherwise known as NACLs.

4
00:00:14,469 --> 00:00:16,954
Security of our environment,

5
00:00:16,954 --> 00:00:18,263
security of our networks

6
00:00:18,263 --> 00:00:20,346
within AWS, is paramount.

7
00:00:21,252 --> 00:00:22,398
One of the tools that we have

8
00:00:22,398 --> 00:00:24,387
access to are network access

9
00:00:24,387 --> 00:00:25,554
control lists.

10
00:00:26,446 --> 00:00:29,457
These are like firewall rules,

11
00:00:29,457 --> 00:00:31,809
but they are applied to a subnet

12
00:00:31,809 --> 00:00:32,726
as a whole.

13
00:00:33,606 --> 00:00:34,439
They're not applied

14
00:00:34,439 --> 00:00:36,615
to individual EC2 instances,

15
00:00:36,615 --> 00:00:40,123
but they're applied to the subnet,

16
00:00:40,123 --> 00:00:42,517
no matter what EC2 virtual machines

17
00:00:42,517 --> 00:00:45,307
or how many are in there.

18
00:00:45,307 --> 00:00:46,897
Another thing to keep in mind

19
00:00:46,897 --> 00:00:49,445
is that a network access control list

20
00:00:49,445 --> 00:00:50,528
is stateless.

21
00:00:51,403 --> 00:00:53,561
That means that if something comes

22
00:00:53,561 --> 00:00:55,369
in as an initial connection

23
00:00:55,369 --> 00:00:58,214
and then packets go out in response,

24
00:00:58,214 --> 00:00:59,757
the network access control list

25
00:00:59,757 --> 00:01:01,643
will not recognize those packets

26
00:01:01,643 --> 00:01:04,215
as being in response.

27
00:01:04,215 --> 00:01:06,654
So the side effect of that

28
00:01:06,654 --> 00:01:08,034
is that we have to specify

29
00:01:08,034 --> 00:01:11,016
both ingress and egress rules

30
00:01:11,016 --> 00:01:13,278
in order for traffic to flow.

31
00:01:13,278 --> 00:01:16,316
Now with NACLs, we can specify

32
00:01:16,316 --> 00:01:18,316
both an allow or a deny.

33
00:01:19,288 --> 00:01:20,635
They actually do default

34
00:01:20,635 --> 00:01:22,175
to denying all, and of course,

35
00:01:22,175 --> 00:01:24,011
we can override that

36
00:01:24,011 --> 00:01:25,731
with our rules.

37
00:01:25,731 --> 00:01:28,068
We're going to specify the protocol

38
00:01:28,068 --> 00:01:30,254
being either TCP, UDP,

39
00:01:30,254 --> 00:01:32,004
ICMP, or all traffic.

40
00:01:33,181 --> 00:01:36,203
We will specify an IP range,

41
00:01:36,203 --> 00:01:38,398
where traffic is coming from,

42
00:01:38,398 --> 00:01:41,590
and a destination port range.

43
00:01:41,590 --> 00:01:44,226
Let's say that we have an application

44
00:01:44,226 --> 00:01:46,028
web server and this web server

45
00:01:46,028 --> 00:01:47,805
needs to receive traffic

46
00:01:47,805 --> 00:01:49,805
on port 80 and port 443.

47
00:01:50,902 --> 00:01:52,852
So we're going to say that we're going

48
00:01:52,852 --> 00:01:55,565
to allow these two ports

49
00:01:55,565 --> 00:01:58,026
to come in from anywhere.

50
00:01:58,026 --> 00:01:59,279
This would essentially apply

51
00:01:59,279 --> 00:02:00,112
to the internet.

52
00:02:00,112 --> 00:02:00,945
We don't know where they could

53
00:02:00,945 --> 00:02:02,497
come from, they just need to be able

54
00:02:02,497 --> 00:02:04,250
to allow anywhere.

55
00:02:04,250 --> 00:02:06,989
We want to restrict port 22

56
00:02:06,989 --> 00:02:08,906
from our corporate VPN.

57
00:02:09,961 --> 00:02:11,790
So here we're going to specify

58
00:02:11,790 --> 00:02:13,693
a much narrower range,

59
00:02:13,693 --> 00:02:16,761
being 192.168/16.

60
00:02:16,761 --> 00:02:18,310
So perhaps this is the range

61
00:02:18,310 --> 00:02:20,800
of our corporate VPN.

62
00:02:20,800 --> 00:02:23,050
Now if traffic is coming in

63
00:02:23,968 --> 00:02:25,885
on port 80 or port 443,

64
00:02:28,070 --> 00:02:29,882
it's important that response traffic

65
00:02:29,882 --> 00:02:31,835
be able to go out.

66
00:02:31,835 --> 00:02:35,634
Now typically in a web server use case,

67
00:02:35,634 --> 00:02:37,163
that outgoing connection will be

68
00:02:37,163 --> 00:02:38,855
on a different port.

69
00:02:38,855 --> 00:02:41,254
It will go back on a port

70
00:02:41,254 --> 00:02:43,749
somewhere on an ephemeral port

71
00:02:43,749 --> 00:02:45,892
within a pretty wide range,

72
00:02:45,892 --> 00:02:47,475
1024 through 65535.

73
00:02:48,795 --> 00:02:50,284
So in order for the response traffic

74
00:02:50,284 --> 00:02:52,473
to be able to leave the subnet,

75
00:02:52,473 --> 00:02:55,106
we have to be sure that we allow

76
00:02:55,106 --> 00:02:56,975
this range of ports,

77
00:02:56,975 --> 00:02:59,523
being the ephemeral port range.

78
00:02:59,523 --> 00:03:01,316
So again, network access control

79
00:03:01,316 --> 00:03:04,155
lists are a very key tool

80
00:03:04,155 --> 00:03:05,301
that we should be using

81
00:03:05,301 --> 00:03:07,686
within virtual private cloud.

82
00:03:07,686 --> 00:03:08,909
They're applied to a subnet

83
00:03:08,909 --> 00:03:10,561
as a whole, and remember that

84
00:03:10,561 --> 00:03:11,455
they're stateless, so we have

85
00:03:11,455 --> 00:03:14,455
to specify ingress and egress rules.

86
00:03:17,025 --> 00:03:18,587
So again, to reiterate this important

87
00:03:18,587 --> 00:03:20,691
point that network access control lists

88
00:03:20,691 --> 00:03:23,774
are applied to the subnet as a whole.

89
00:03:25,870 --> 00:03:29,000
So in this particular example,

90
00:03:29,000 --> 00:03:30,407
let's say that we have our

91
00:03:30,407 --> 00:03:31,740
web servers here

92
00:03:34,152 --> 00:03:35,158
and we have our databases

93
00:03:35,158 --> 00:03:37,240
back here in another subnet.

94
00:03:37,240 --> 00:03:39,501
So we can see that we have

95
00:03:39,501 --> 00:03:41,571
our network access control list

96
00:03:41,571 --> 00:03:43,340
applied, it's sort of like

97
00:03:43,340 --> 00:03:45,160
you can imagine it like a firewall

98
00:03:45,160 --> 00:03:47,243
around the entire subnet.

99
00:03:48,324 --> 00:03:49,730
In that last slide,

100
00:03:49,730 --> 00:03:51,881
we can see that port 80

101
00:03:51,881 --> 00:03:55,012
is open from pretty much anywhere.

102
00:03:55,012 --> 00:03:56,958
So traffic coming in on port 80

103
00:03:56,958 --> 00:03:59,024
would be allowed to pass through.

104
00:03:59,024 --> 00:04:00,438
Here it's allowed to pass

105
00:04:00,438 --> 00:04:02,432
through the NACL.

106
00:04:02,432 --> 00:04:04,657
Port 22 is not allowed,

107
00:04:04,657 --> 00:04:07,397
but it is allowed from our VPN.

108
00:04:07,397 --> 00:04:09,472
So as long as we come from a range,

109
00:04:09,472 --> 00:04:12,139
192.168 range, then that port 22

110
00:04:13,144 --> 00:04:14,287
traffic would be allowed

111
00:04:14,287 --> 00:04:15,484
through the NACL

112
00:04:15,484 --> 00:04:17,151
and into the subnet.

113
00:04:18,028 --> 00:04:20,464
Now in the case of having database

114
00:04:20,464 --> 00:04:22,062
servers in another subnet,

115
00:04:22,062 --> 00:04:23,882
we would probably want a NACL

116
00:04:23,882 --> 00:04:26,633
that allows port 3306 to come

117
00:04:26,633 --> 00:04:29,676
in from our corporate VPN range,

118
00:04:29,676 --> 00:04:31,926
perhaps 192.168 to come in,

119
00:04:32,917 --> 00:04:35,085
but the NACL itself would block

120
00:04:35,085 --> 00:04:36,417
all other attempts

121
00:04:36,417 --> 00:04:38,093
or all other sources

122
00:04:38,093 --> 00:04:39,891
on that particular port.

123
00:04:39,891 --> 00:04:42,100
We might also even deny

124
00:04:42,100 --> 00:04:44,219
and say that port 3306

125
00:04:44,219 --> 00:04:46,469
is allowed through the NACL

126
00:04:47,391 --> 00:04:50,110
from the range of our application

127
00:04:50,110 --> 00:04:52,756
servers, but nowhere else.

128
00:04:52,756 --> 00:04:54,809
If we had other subnets

129
00:04:54,809 --> 00:04:56,681
in this particular VPC

130
00:04:56,681 --> 00:04:58,132
that were being used

131
00:04:58,132 --> 00:04:59,637
for different purposes,

132
00:04:59,637 --> 00:05:00,800
then we might also want

133
00:05:00,800 --> 00:05:02,300
to block port 3306

134
00:05:03,216 --> 00:05:04,704
from those ranges

135
00:05:04,704 --> 00:05:07,167
and only allow it from the range

136
00:05:07,167 --> 00:05:09,285
of our application servers.

137
00:05:09,285 --> 00:05:10,581
So again, network access control

138
00:05:10,581 --> 00:05:12,643
lists, you can think of it

139
00:05:12,643 --> 00:05:15,982
as a firewall for the entire subnet.

140
00:05:15,982 --> 00:05:18,279
It prevents traffic from getting

141
00:05:18,279 --> 00:05:19,612
into the subnet.

142
00:05:20,566 --> 00:05:22,734
Then of course we have other means

143
00:05:22,734 --> 00:05:24,786
that we'll talk about later on

144
00:05:24,786 --> 00:05:26,869
as a means to limit the flow

145
00:05:26,869 --> 00:05:29,702
of traffic on a per machine basis.