AWS Essentials: Network Access Control List (NACLs)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and in this lesson we're going to continue building on VPC basics and understanding how V PCs work by taking a look at network access control lists we're going to talk specifically about its definitions of function how to create a network access control list and most importantly managing network access control list rules so first let's take a look at what the definition is for a network access control list and again the AWS definition is simple enough in this instance so let's jump right down to that a network access control list is an optional layer of security for your V PC that acts as a firewall for controlling traffic in and out of one or more subnets so let's make a quick note here that your default V PC already has a network access control list in place and associated with the default subnet so to find and modify your network access control list we can either click on network access control list here or under security on the left hand side click on network ACLs here we have our default network access control list and it does have the four default subnet associated with it which we can view here that they are associated now in terms of how it fits and works inside the V PC it really lies between the route table and any of these subnets that are associated with it so when traffic comes in through the route table before it goes into a subnet it will hit the network access control list or if any information is leaving a subnet it will hit a network access control list before being able to move on to a route table so specifically what we want to know about network access control lists is that they have both inbound and outbound rules and those are separate categories meaning you can have certain rules for inbound traffic and other rules which can be different for outbound traffic now it is very important to know that for the default network access control list which is the one right here which has been created for us all traffic is allowed in both directions by default so if we take a quick look at these rules here which I will explain in a second for both inbound and outbound there is an explicit allowed here which is going to be evaluated first and allow all traffic through so if we want to provide any security on the subnet level we're going to have to modify these if we continue to use the default network access control list now how do these rules work well for inbound and outbound rules there are rules that govern how these work the first rule that you should be aware of is that rules are evaluated based on rule number from lowest to highest second is that the first rule evaluated that applies to the traffic type gets immediately applied and executed regardless of the rules that come after meaning have a higher rule number so that may be a little hard to understand right now since we only have two rules that are in here and really only one rule that we can modify so this rule having a number of 100 is allowing all traffic type under all protocol all port ranges from any source underneath here is a rule that we cannot delete modify or edit and this is considered a catch-all and what that means is that if we don't specifically allow traffic it is going to be denied so if I were to edit this and remove the allow all rule then all information out coming into the subnet will be denied and I cannot remove this so if I want any data to be able to enter or if it was an outbound rule to leave a subnet I must explicitly add a rule allowing that through so here if I add a rule let's call this rule 80 and I'm going to make this HTTP and I'll allow it from all sources and leave it as allow I'll click Save now for data that's coming in that is type HTTP or basic web traffic it will come in to the network access control list and the network access control list is going to start evaluating from lowest to highest so it's going to look at this and say okay here's our first rule is our traffic type HTTP and which is going to say yes it is and what is the rule the rule is allow and it's immediately going to send that traffic through regardless of what comes after it so to detail this more explicitly let's add another rule we'll put this as rule number 90 it'll be an HTTP rule from any source and this will be a deny rule let me click Save so even though now I have a rule that says deny any HTTP traffic is still going to be allowed because again the first rule evaluated that applies to the traffic type gets immediately applied and executed and rules are evaluated based on rule number from lowest to highest so that HTTP traffic comes into the network access control list it starts to work its way down the list it gets to the very first rule HTTP allow it allows it through regardless of whether or not this deny rule is there now if I were to switch these numbers if I were to put the deny rule 270 now any HTTP traffic that were to come into the network access control list would be denied because this would be evaluated first it would immediately execute that rule and the traffic would be denied regardless the fact that after it we have an HTTP allow rule so these properties apply both for inbound and outbound rules so now let's talk our default versus a new network access control list and before I create a new network access control list let's just go back here and switch these numbers around we'll put this back to 90 so that HTTP traffic can come in so now again we are allowing HTTP traffic into the subnet so we'll create a new network access control list by clicking on create Network ACL here and we'll give this a name I'll call it essentials essentials and ACL click create ok so now we have a new network access control list and one of the things that we want to be very clear about here is that when you create a new network access control list by default everything is denied so if you look here there's no allow rule for inbound and outbound rules everything is set to deny as we're with our default network access control list it did have and allow for all traffic for both inbound and outbound by default so it's just something really important to remember when you first start using your AWS account in case you have any sort of connectivity or restriction errors when trying to access either the internet or items placed inside of your V PC so right now both of these subnets are currently assigned or associated with our default V PC since we have all of our subnets associated with our default V PC so right now HTTP traffic would be allowed into either one of the subnets but if we were to switch this or associate one of our subnets with the new network access control list all traffic would be denied since we don't have any allow rules in our inbound or outbound rules so if I were to go to associated subnets click on edit and select one of these subnets I'll select this one here and click Save we're going to see here that this number is going to change to 3 and this is going to become one so now that this subnet is associated with this network access control list no traffic can come in or out because there are no allow rules now if I were to add a few rules let's say I'll put this at number 90 and we will put this as SSH and we will allow from all sources I'll click Save allow and we'll do the same thing for outbound 90 SSH allow so now on our new network access control list SSH will be allowed both in and out of the subnet and then our catch-all here at the bottom will deny all other traffic so if HTTP traffic were to come in and we're you go this way and we're to go to this subnet it would be allowed in but if it were to go this way the HTTP traffic would be denied because it would look at this rule and say does that type HTTP apply to this rule say no because this rule is for type SSH then for all other traffic there is a deny rule so I know we spent a lot of time on the nitty-gritty here of using network access control list but security is one of the main things that you really need to know when starting to use AWS specifically not from the stand point that people are going to try to hack or get into your system but more from a connectivity issue meaning that when you start to provision easy to instances RDS instances databases and really start to use other services things like network access control lists may be a hidden barrier for you in that you may not be able to access something and you don't know why and a lot of times it will have to do with either network access control lists or security groups which is something that we're going to touch on in a future section so making sure that you have these set properly for the type of traffic that you want to use can greatly increase your security but also it becomes an area that you have to be very mindful of in terms of making sure that the connections are correct for traffic to move freely so again I just want you to be very mindful of how traffic flows through a V PC from the internet down to the subnet level and then from the subnet level back out to the Internet and the role that network access control lists play in that so again to recap on the network access control this definitions is an optional layer of security so you don't have to have security set you can just set to allow all traffic and that you're not having your network access control lists do anything for you but if you are hosting say just a web server then maybe the only traffic you want to allow into that subnet would be HTTP and HTTPS traffic not allowing any other traffic to get into your web server we're just heightened security and that would be considered a best practice to only allow the traffic that is absolutely required so a couple of rules and details we're just going to know in recap is that rules are evaluated from lowest to highest based on rule number the first rule found that applies to the traffic type is immediately applied regardless of any rule that comes after it meaning it has a higher rule number the default network access control list allows traffic to the default subnets and also from the default subnets and any new ad network access control lists you create will deny all traffic by default and subnets can only be associated with one network access control list at a time now if you remember when I associated the sudden that with this network access control list it automatically removed it from this network access control list and assigned it to this one so sudden that can only be associated with one network access control list at a time and a network access control list allows or denies traffic from entering a subnet once inside the subnet other AWS resources meaning like ec2 instances may have additional layers of security for themselves meaning security groups which we're going to talk about in future lessons but just always remember that it's network access control lists which provide access on the subnet level and with that we will complete this lesson thank you for watching you may now move on
Info
Channel: Linux Academy
Views: 62,062
Rating: undefined out of 5
Keywords: Linux Academy, LinuxAcademy.com, AWS, AWS Essentials, Amazon Web Services, Cloud, Cloud Computing, Beginner, Education, Training, Tutorial, VPC, AWS VPC, Virtual Private Cloud, Network Access Control List, NACL, AWS NACL, NACLs
Id: vJzHn24TNQE
Channel Id: undefined
Length: 13min 25sec (805 seconds)
Published: Wed Dec 21 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.