1 00:00:06,695 --> 00:00:08,473 - Now let's take a look at another demo, 2 00:00:08,473 --> 00:00:13,046 where we'll create another security group within AWS VPC. 3 00:00:13,046 --> 00:00:17,332 Okay, so from the dashboard, the AWS console, 4 00:00:17,332 --> 00:00:20,999 again, I'm going to filter by the right VPC, 5 00:00:22,933 --> 00:00:25,766 and so far, we have created a VPC, 6 00:00:26,664 --> 00:00:28,962 we've created some public subnets, 7 00:00:28,962 --> 00:00:31,201 we've routed them to and from the internet 8 00:00:31,201 --> 00:00:34,201 with our public-traffic Route Table. 9 00:00:36,796 --> 00:00:41,084 We have created a Network Access Control List 10 00:00:41,084 --> 00:00:45,167 for web-traffic, tightened the security for that, 11 00:00:46,301 --> 00:00:49,393 you can see we're allowing HTTP and HTTPS traffic 12 00:00:49,393 --> 00:00:53,560 into that subnet, and allowing ephemeral ports out. 13 00:00:54,938 --> 00:00:57,329 Again, just as a reminder, Network Access Control Lists 14 00:00:57,329 --> 00:01:00,110 apply to the subnet as a whole. 15 00:01:00,110 --> 00:01:03,842 We still need a way to secure the instance itself, 16 00:01:03,842 --> 00:01:06,797 a firewall for the individual machine. 17 00:01:06,797 --> 00:01:10,365 And we can do that with Security Groups. 18 00:01:10,365 --> 00:01:14,079 So this particular VPC, like all VPCs, 19 00:01:14,079 --> 00:01:16,426 will come with a default Security Group, 20 00:01:16,426 --> 00:01:18,547 but it's generally best practice to create 21 00:01:18,547 --> 00:01:22,239 Security Groups per purpose, so for a web server, 22 00:01:22,239 --> 00:01:24,665 we have a web server Security Group, 23 00:01:24,665 --> 00:01:27,351 for an application server or database server, 24 00:01:27,351 --> 00:01:30,244 they each get their own specific Security Group 25 00:01:30,244 --> 00:01:33,295 that's more specialized to what that machine 26 00:01:33,295 --> 00:01:35,111 is actually doing. 27 00:01:35,111 --> 00:01:39,893 So from here I'm going to click Create Security Group, 28 00:01:39,893 --> 00:01:43,060 I'm going to call this one web-server, 29 00:01:47,286 --> 00:01:51,453 I'm going to describe this as web application security, 30 00:01:52,594 --> 00:01:56,761 make sure that we're choosing the appropriate VPC, 31 00:01:57,853 --> 00:01:59,186 and create that. 32 00:02:03,570 --> 00:02:06,989 Now that we have the web server, you can see, 33 00:02:06,989 --> 00:02:09,582 here we have our web-server Security Group, 34 00:02:09,582 --> 00:02:14,332 so far, by default, we do not have any inbound rules, 35 00:02:14,332 --> 00:02:19,268 that means that whatever EC2 instance this Security Group 36 00:02:19,268 --> 00:02:23,299 is attached to, cannot receive any traffic 37 00:02:23,299 --> 00:02:26,039 until we open this Security Group up, 38 00:02:26,039 --> 00:02:28,789 so I'm going to Edit that, again, 39 00:02:30,278 --> 00:02:33,592 I'm going to allow it to receive, 40 00:02:33,592 --> 00:02:35,842 HTTP traffic from anywhere, 41 00:02:40,491 --> 00:02:43,741 I'm going to allow it to receive HTTPS, 42 00:02:44,885 --> 00:02:48,635 and again, I'm going to choose from anywhere. 43 00:02:50,644 --> 00:02:52,561 I'm going to save that. 44 00:02:53,772 --> 00:02:57,939 Now whatever EC2 instance we apply this Security Group to, 45 00:02:58,954 --> 00:03:03,121 will be allowed to receive traffic on port 80 and 443. 46 00:03:04,009 --> 00:03:06,455 It might seem like we're doing double work, 47 00:03:06,455 --> 00:03:09,670 but we're doing things for different purposes. 48 00:03:09,670 --> 00:03:12,244 We've added very similar rules to the NACLs 49 00:03:12,244 --> 00:03:15,220 that our subnet can receive traffic. 50 00:03:15,220 --> 00:03:18,344 We've added these same rules to the Security Group 51 00:03:18,344 --> 00:03:22,142 so that our instance can receive traffic. 52 00:03:22,142 --> 00:03:25,501 Now, as a reminder, the difference between NACLs 53 00:03:25,501 --> 00:03:29,155 and Security Groups is that the NACL was stateless, 54 00:03:29,155 --> 00:03:32,227 that's why we had to specify both inbound 55 00:03:32,227 --> 00:03:34,082 and outbound rules. 56 00:03:34,082 --> 00:03:37,119 The Security Group, being state full, 57 00:03:37,119 --> 00:03:40,724 means that we don't have to specify outbound rules. 58 00:03:40,724 --> 00:03:44,067 And again, that is for response traffic. 59 00:03:44,067 --> 00:03:46,723 If a request comes in on one of these two ports, 60 00:03:46,723 --> 00:03:49,221 and then the response goes back out, 61 00:03:49,221 --> 00:03:51,461 the Security Group will allow that, 62 00:03:51,461 --> 00:03:54,229 so we really don't have to mess with outbound rules. 63 00:03:54,229 --> 00:03:58,396 I do wanna point out that Security Groups, by default, 64 00:03:59,671 --> 00:04:03,838 do allow all outbound traffic to all destinations, 65 00:04:04,725 --> 00:04:09,009 but what this is talking about are the initiation packets. 66 00:04:09,009 --> 00:04:10,336 That initial connection, 67 00:04:10,336 --> 00:04:12,793 it's now talking about response packets. 68 00:04:12,793 --> 00:04:16,960 So that is how we create a Security Group within AWS VPC.