Security group,NACL and Peering of VPC

Security group,NACL and Peering of VPC

Security group:

1. Security group is a virtual firewall which can allow inbound and outbound traffic to instances.
2. This is at instance level
3. This can be attached to multiple EC2 instances.
4. Security groups  are STATEFULL
1. For inbound traffic it applies only inbound rule
2. For outbound traffic it applies only outbound rule.
5. Security groups are per region
6. Security groups doesn't have explicit deny or explicit deny
7. If there is no matching rule , it automatically assumes that implicit deny.
8. There is no way to block any IP in accessing or exposing to that IP.
9. For each EC2, we can have upto 5 security groups association.
10. Security groups are associated interally with ENI(Elastic Network Interface)
11. For same EC2 we can have multiple ENIs(IPs).
12. Each ENI can have 5 SGs.
13. Security Group Sources
1. My IP: It allows traffic only from my ip address(IPV4 of a local machine/EC2)
2. ANYWhere: Allow traffic from ANY SOURCE.
3. Custom: 
1. One or more more CIDRs
2. One or more IPs
3. Security group.:Must topic for exam.

NACL(Network Access Control List)

1. its a virtual firewall attached to each subnet
2. One subnet can have one NACL
3. Multiple subnets can have same NACL
4. In NACL explict allow or Deny IP address 
5. We can blacklist or whitelist IP address for traffic
6. NACL is stateless
1. For inbound traffic it applies inbound and outbound rules
2. For outbound traffic it applies outbound and inbound rules
7. There will be implicit NACLs created by AWS when we create VPC.
8. All subnets are implicitly attached to defalut NACL
9. NACL uses rule numbers to allow firewalls
10. Rule numbers are executed in ascending order
11. How to choose rule numbers,Better to have it in multiples of 100, For ex:100,200,300 etc.
12. Default rules of defaul NACL is allows all inbound and outbound traffic
13. Default rules of custom NACL, is all inbound and outbound traffic is deny.

VPC Peering Connection:

Is Used for connecting VPCs

Instances can behave like they are in same network and use the communication over Private IPs direcctly.

VPCs can be same or different account

VPCs can be same or different region

Transitive peering connection is no possible between VPCs.

How To:

Create VPC-A and VPC-B and Peering connection between these two VPCs.
Accept request from VPC-A to VPC-B
Create Peering connectuon in the same account..
Screens as below

VPC-A

VPC-B

Subnet-1 in VPC-A

Subnet-1 in VPC-B

Create a Peering connection between VPC-A and B.
Under VPC dashboard, select Peering connections and click on Create Peering connection and fill the details below if the both VPCs are belongs to same Account.




Here VPC-A is requester and VPC-B Accepter.

Since the perring connection of VPCs is in the same account , you have to accept the peering connection by following the below


Before Accepting the request, this connection is in Pending Acceptance status, once after above step it will become Active.



Now Configure the peering connection in route tables of both the VPCs.

To do that, we have to go for Route tables-->select VPC-A route table-->click on Routes --> Edit Routes-->select peering connection
Screen as below.






The above step will create the connection between VPC-A to VPC-B.

But to provide connection between VPC-B to VPC-A , Again follwo the above step as below.



Now launch an EC2 in VPC-A



We need to enable public IP for EC2 instance which we are launching in VPC-A.



SG should be as below , which we can do SSH from our Machine to EC2.



Create another Instance in VPC-B and disable auto assigning of public IP.



Security group will be like below(Because it should accept request from Instance-A or any)



Create Internet gateway like below



We have to connect Internet gate way with VPC-A , which will connect to Internet.





After connecting IGW to VPC , we need to connect IGW with route table as below




Now connect Instance-A with putty and ping instance-B with private IP address.



Now successfully connecction estanlished between VPC-A and VPC-B