1
00:00:06,529 --> 00:00:10,696
- Now let's talk about
security groups within AWS VPC.

2
00:00:11,782 --> 00:00:14,819
Now security groups are another tool

3
00:00:14,819 --> 00:00:17,648
that we have access to within AWS VPC

4
00:00:17,648 --> 00:00:21,271
that allows us to create a secure network.

5
00:00:21,271 --> 00:00:22,435
We've talked about routing

6
00:00:22,435 --> 00:00:24,193
as a way of controlling
the flow of traffic.

7
00:00:24,193 --> 00:00:25,914
We've talked about NACLs

8
00:00:25,914 --> 00:00:29,659
as like a firewall around
the subnet as a whole.

9
00:00:29,659 --> 00:00:31,882
Security groups are like a firewall

10
00:00:31,882 --> 00:00:34,965
around specific EC2 virtual machines.

11
00:00:35,808 --> 00:00:38,947
So whereas a NACL is applied to a subnet,

12
00:00:38,947 --> 00:00:43,666
a security group is applied
to individual instances.

13
00:00:43,666 --> 00:00:45,966
Where a NACL is stateless

14
00:00:45,966 --> 00:00:49,473
and does not remember
traffic being in response.

15
00:00:49,473 --> 00:00:51,433
A security group is stateful.

16
00:00:51,433 --> 00:00:56,167
It does recognize traffic as
being in response to something,

17
00:00:56,167 --> 00:00:58,924
and what that means is
that you don't have to

18
00:00:58,924 --> 00:01:01,290
specify both ingress and egress.

19
00:01:01,290 --> 00:01:04,641
You can specify one or the other.

20
00:01:04,641 --> 00:01:07,690
Very much like NACLs, we
specify the protocol as being

21
00:01:07,690 --> 00:01:10,469
PCP, UDP, whatever it is.

22
00:01:10,469 --> 00:01:12,821
We specify our source IP range

23
00:01:12,821 --> 00:01:15,128
and our destination port range.

24
00:01:15,128 --> 00:01:16,400
In this example,

25
00:01:16,400 --> 00:01:19,426
kind of picking up from
our previous example

26
00:01:19,426 --> 00:01:21,575
where we were using a
web application server,

27
00:01:21,575 --> 00:01:25,945
we want to receive traffic
on port 80 and 443,

28
00:01:25,945 --> 00:01:27,497
from the internet.

29
00:01:27,497 --> 00:01:31,147
So we want to make sure that
this particular instance.

30
00:01:31,147 --> 00:01:33,633
This virtual machine is allowed

31
00:01:33,633 --> 00:01:38,092
to receive traffics on these
two ports from anywhere.

32
00:01:38,092 --> 00:01:41,659
These all zeroes meaning
essentially anywhere.

33
00:01:41,659 --> 00:01:44,049
Now he's an example of receiving.

34
00:01:44,049 --> 00:01:46,974
Perhaps this is some kind
of an application port.

35
00:01:46,974 --> 00:01:50,373
A special port we're using
for monitoring whatever it is,

36
00:01:50,373 --> 00:01:53,162
and we want that to be allowed

37
00:01:53,162 --> 00:01:55,740
from another particular instance.

38
00:01:55,740 --> 00:01:59,835
Here we can use, instead of an IP range,

39
00:01:59,835 --> 00:02:04,307
we can use the ID of
another security group.

40
00:02:04,307 --> 00:02:08,602
So that means that this,
traffic is allowed on port 999

41
00:02:08,602 --> 00:02:13,460
as long as it comes from a
machine that has this particular

42
00:02:13,460 --> 00:02:16,028
security group applied to it.

43
00:02:16,028 --> 00:02:18,379
And we call that a reference.

44
00:02:18,379 --> 00:02:21,111
It is a reference to
another security group.

45
00:02:21,111 --> 00:02:23,850
As we saw though in the previous example

46
00:02:23,850 --> 00:02:26,355
about network access control list.

47
00:02:26,355 --> 00:02:29,355
Even though the NACL allows port 22,

48
00:02:31,120 --> 00:02:32,767
we still have to allow.

49
00:02:32,767 --> 00:02:36,005
That gets it into the subnet,

50
00:02:36,005 --> 00:02:37,632
but in order for those packets

51
00:02:37,632 --> 00:02:39,744
to get into the virtual machine

52
00:02:39,744 --> 00:02:44,221
that port also has to be open
in a security group as well.

53
00:02:44,221 --> 00:02:47,779
So we're also going to say
that port 22 is allowed,

54
00:02:47,779 --> 00:02:51,900
but we want to limit it
to our corporate VPN.

55
00:02:51,900 --> 00:02:54,650
At the range of 192.168 slash 16.

56
00:02:55,729 --> 00:02:59,375
Here's the key difference
between security groups

57
00:02:59,375 --> 00:03:02,452
and NACLs being stateful verus stateless.

58
00:03:02,452 --> 00:03:06,217
If you recall, when we talked about NACLs,

59
00:03:06,217 --> 00:03:08,696
we had to explicitly open.

60
00:03:08,696 --> 00:03:12,673
In order for response traffic
on http and https connections

61
00:03:12,673 --> 00:03:14,923
to get back out on the NACL

62
00:03:15,907 --> 00:03:19,570
we had to specify the
ephemeral range ports

63
00:03:19,570 --> 00:03:21,153
for egress traffic.

64
00:03:22,056 --> 00:03:25,134
We don't have to do that
here in a security group,

65
00:03:25,134 --> 00:03:28,048
because security groups are stateful.

66
00:03:28,048 --> 00:03:30,747
They will recognize that outgoing traffic

67
00:03:30,747 --> 00:03:34,253
is in response to packets
that were initiated

68
00:03:34,253 --> 00:03:36,422
on port 80 and 443.

69
00:03:36,422 --> 00:03:41,006
So, the only time we really
need to specify egress rules

70
00:03:41,006 --> 00:03:44,377
are when we're talking about
initiating connections.

71
00:03:44,377 --> 00:03:47,895
And so here, what we're saying
is that whatever machine

72
00:03:47,895 --> 00:03:50,624
this security group is applied to

73
00:03:50,624 --> 00:03:54,357
is allowed to make initiating connections

74
00:03:54,357 --> 00:03:57,897
on port 3306 being to mice equal.

75
00:03:57,897 --> 00:04:02,064
So long as those connections
are being made to a machine

76
00:04:02,971 --> 00:04:06,554
that has this security
group applied to it.

77
00:04:08,101 --> 00:04:10,067
Any other machine in the network

78
00:04:10,067 --> 00:04:12,846
that does not have that
security group applied,

79
00:04:12,846 --> 00:04:15,418
this port will not
being allowed to go out.

80
00:04:15,418 --> 00:04:17,745
So again, that is considered a reference

81
00:04:17,745 --> 00:04:20,607
when we mention the security group ID

82
00:04:20,607 --> 00:04:23,333
rather than an IP range.

83
00:04:23,333 --> 00:04:26,629
So again, to recap, network
access control lists

84
00:04:26,629 --> 00:04:29,534
are stateless and applied to a subnet.

85
00:04:29,534 --> 00:04:31,728
Security groups are stateful

86
00:04:31,728 --> 00:04:35,723
and applied to individual EC2 instances.

87
00:04:35,723 --> 00:04:40,091
So here's another example,
another way to look at that.

88
00:04:40,091 --> 00:04:43,729
Another way to look at the
relationship of security groups

89
00:04:43,729 --> 00:04:45,691
is that security groups,

90
00:04:45,691 --> 00:04:47,451
again you can see that they're applied

91
00:04:47,451 --> 00:04:49,368
to the instance itself.

92
00:04:50,400 --> 00:04:54,035
Not necessarily to the subnet as a whole,

93
00:04:54,035 --> 00:04:55,879
but to the instance itself.

94
00:04:55,879 --> 00:04:57,528
This one has security group.

95
00:04:57,528 --> 00:05:01,337
This other EC2 has its own security group.

96
00:05:01,337 --> 00:05:04,013
Perhaps, we might want to allow

97
00:05:04,013 --> 00:05:06,930
remote JMX monitoring on port 7199.

98
00:05:08,974 --> 00:05:12,724
We want to allow hdp
and hdps ports coming in

99
00:05:14,189 --> 00:05:15,404
from the open internet.

100
00:05:15,404 --> 00:05:19,116
So it'll be allowed
into the security group.

101
00:05:19,116 --> 00:05:22,552
We're going to allow this security group

102
00:05:22,552 --> 00:05:26,719
to initiate connections on
port 3306 to our database.

103
00:05:27,953 --> 00:05:30,849
So port 3306 will be allowed outbound on

104
00:05:30,849 --> 00:05:32,595
as an initiating connection,

105
00:05:32,595 --> 00:05:35,250
but everything else will be denied.

106
00:05:35,250 --> 00:05:37,500
Now response traffic to hdp

107
00:05:39,578 --> 00:05:42,204
and hdps traffic will be allowed,

108
00:05:42,204 --> 00:05:45,218
but it's only the initiating,

109
00:05:45,218 --> 00:05:48,869
the initial packet that we're
blocking here in this example.

110
00:05:48,869 --> 00:05:53,036
Now our database would
also allow port 3306

111
00:05:53,036 --> 00:05:54,677
to come into its security group

112
00:05:54,677 --> 00:05:57,537
so long as that traffic originated

113
00:05:57,537 --> 00:06:00,523
from this security group over here.