1 00:00:06,628 --> 00:00:09,849 - Here let's review a demo of creating and applying 2 00:00:09,849 --> 00:00:13,341 a network access control list to an existing subnet 3 00:00:13,341 --> 00:00:14,258 within VPC. 4 00:00:17,545 --> 00:00:20,774 So again we're back in the AWS console, 5 00:00:20,774 --> 00:00:22,752 in the VPC Dashboard. 6 00:00:22,752 --> 00:00:26,919 I'm filtered by the VPC that I wanna work with our 10.2/16. 7 00:00:30,328 --> 00:00:34,328 We have created some subnets as we can see here. 8 00:00:36,737 --> 00:00:40,904 We have created some route tables and internet gateways. 9 00:00:42,551 --> 00:00:46,109 We have traffic routed to and from the internet. 10 00:00:46,109 --> 00:00:49,071 But now we wanna tighten security around 11 00:00:49,071 --> 00:00:50,529 those public subnets. 12 00:00:50,529 --> 00:00:54,064 Perhaps those public subnets are meant to house 13 00:00:54,064 --> 00:00:55,234 a web server. 14 00:00:55,234 --> 00:00:59,797 We don't need port 22 open, we wanna put some guard rails 15 00:00:59,797 --> 00:01:04,030 around that subnet, so that the subnet as a whole 16 00:01:04,030 --> 00:01:08,585 is protected from system ports like port 22 and so on 17 00:01:08,585 --> 00:01:11,371 from being accessed from the internet. 18 00:01:11,371 --> 00:01:14,455 So I'm gonna come down here to network ACLs. 19 00:01:14,455 --> 00:01:17,705 You can see that we get a default NACL. 20 00:01:20,616 --> 00:01:22,685 Where all traffic is allowed, 21 00:01:22,685 --> 00:01:24,852 both inbound and outbound. 22 00:01:26,388 --> 00:01:31,204 Now from here I want to create a new network ACL. 23 00:01:31,204 --> 00:01:35,371 I'm going to create a new one, I'm gonna call this one 24 00:01:36,458 --> 00:01:39,041 public, or perhaps web traffic. 25 00:01:44,052 --> 00:01:48,219 Again I wanna make sure that we're using the right VPC. 26 00:01:52,745 --> 00:01:56,444 Now that it's created, I need to associate that 27 00:01:56,444 --> 00:02:00,105 network access control list with the subnets 28 00:02:00,105 --> 00:02:02,443 on which I want to control ports. 29 00:02:02,443 --> 00:02:04,633 So here I'm going to edit. 30 00:02:04,633 --> 00:02:09,419 I'm going to associate this with both of our public subnets. 31 00:02:09,419 --> 00:02:11,002 I'm gonna hit save. 32 00:02:14,927 --> 00:02:19,516 Now that we have our network access control list associated 33 00:02:19,516 --> 00:02:23,196 with our subnets, we can go back and start to modify 34 00:02:23,196 --> 00:02:24,905 our inbound rules. 35 00:02:24,905 --> 00:02:29,863 Again, you can see that because this was not the default 36 00:02:29,863 --> 00:02:32,772 NACL that came with the VPC, 37 00:02:32,772 --> 00:02:35,646 it's defaulting to denying all traffic, 38 00:02:35,646 --> 00:02:38,518 both inbound and outbound. 39 00:02:38,518 --> 00:02:42,554 So, now that this particular NACL is associated 40 00:02:42,554 --> 00:02:43,913 with our subnets, 41 00:02:43,913 --> 00:02:47,580 no traffic can enter or leave those subnets. 42 00:02:48,645 --> 00:02:51,031 So, the first thing that I wanna do, 43 00:02:51,031 --> 00:02:55,259 considering that this is meant for a web application. 44 00:02:55,259 --> 00:02:59,009 For inbound traffic, I want to allow, 45 00:02:59,009 --> 00:03:02,054 I'm going to say, I'm going to start with rule 46 00:03:02,054 --> 00:03:04,971 number 100, and I'm going to choose 47 00:03:07,081 --> 00:03:09,081 HTTP traffic or port 80. 48 00:03:11,232 --> 00:03:13,427 Which is TCP port 80. 49 00:03:13,427 --> 00:03:17,673 And I'm going to allow that from the internet 50 00:03:17,673 --> 00:03:19,006 using all zeros. 51 00:03:19,959 --> 00:03:22,876 I'm going to add another rule, 101, 52 00:03:23,946 --> 00:03:25,363 being HTTPS here. 53 00:03:28,957 --> 00:03:33,124 Which is TCP port 443, and again from the internet. 54 00:03:35,617 --> 00:03:38,704 And I'm going to save those two rules. 55 00:03:38,704 --> 00:03:41,240 Now you can see that those packets are allowed 56 00:03:41,240 --> 00:03:42,407 into our NACL. 57 00:03:45,481 --> 00:03:48,203 And all other traffic is still denied. 58 00:03:48,203 --> 00:03:52,370 So port 22, port 21, whatever, all other ports are denied. 59 00:03:55,148 --> 00:03:59,315 Now, as we've talked about network ACLs are stateless. 60 00:04:01,087 --> 00:04:05,009 We have to create both inbound and outbound rules. 61 00:04:05,009 --> 00:04:09,835 At this point our web server would be able to receive 62 00:04:09,835 --> 00:04:12,757 a connection on port 80 or 443, 63 00:04:12,757 --> 00:04:17,066 but the response traffic would not be able to get out. 64 00:04:17,066 --> 00:04:20,063 You can see here that outbound or egress rules 65 00:04:20,063 --> 00:04:22,645 are still being denied. 66 00:04:22,645 --> 00:04:27,585 So from here, we don't really need these machines, 67 00:04:27,585 --> 00:04:31,319 these web servers, to initiate connections on 68 00:04:31,319 --> 00:04:34,152 port 22, 4SSH, or port 21 for FTP, 69 00:04:36,908 --> 00:04:38,941 that's not their purpose. 70 00:04:38,941 --> 00:04:43,094 So we're going to allow ephemeral ports. 71 00:04:43,094 --> 00:04:47,681 I'm gonna say rule number 100 will allow all TCP 72 00:04:47,681 --> 00:04:51,848 on port 1024-65535, that is essentially in all practical 73 00:04:54,573 --> 00:04:58,297 reality, that is the ephemeral port range. 74 00:04:58,297 --> 00:05:00,450 And we're going to say that those port ranges 75 00:05:00,450 --> 00:05:05,217 are allowed to go out to anywhere because we're going 76 00:05:05,217 --> 00:05:06,801 out to the internet. 77 00:05:06,801 --> 00:05:09,583 We are allowing that range. 78 00:05:09,583 --> 00:05:12,812 I'm going to go ahead and save that. 79 00:05:12,812 --> 00:05:15,684 And now you can see, we have created 80 00:05:15,684 --> 00:05:18,139 a network access control list. 81 00:05:18,139 --> 00:05:22,139 We've associated it with our two public subnets. 82 00:05:23,872 --> 00:05:27,455 We have allowed port 80 and 443 to come in, 83 00:05:28,849 --> 00:05:33,084 and we have allowed the ephemeral port range to go out. 84 00:05:33,084 --> 00:05:34,902 And that is how we create 85 00:05:34,902 --> 00:05:39,069 and associate network access control lists within AWS VPC.