Security is very important for developers to learn in an AWS networking environment. 3 things will be discussed here:
- Security groups
- Network access control lists (NACL)
- Flow logs (for monitoring, analyzing network trafficking and debugging network)
Basically, a security group is a set of networking rules that apply to a resource. It is responsible for defining what traffic enters or leaves certain resources. A single resource can reference many security groups and aggregate unique access types. Also, developers might have a security group that allows HTTP and HTTPS traffic in for a website, though they might not want SSH access for their service.
They will ensure that SSH access is limited by IP for any instance and not for the whole internet. Hence, security groups help developers to limit such instances. Security groups can be defined as distributed firewalls and they are specific to an instance or a machine.
The security group is also stateful, so if a request comes from one direction, it automatically sets permission for the response to the request that arrives from any other direction. Still, it does not mean that, if you have created an inbound access rule then you don’t need outbound access.
Network Access Control List (NACL)
To explain the Network Access Control List or what we know as NACL in short, in very basic language, we can say that it permits or restricts the set of traffic rules. These traffic rules find it’s the place to or from any subset, according to the arrival or departure of the restrictions imposed upon the respective subset.
The fact that NACL is often termed as stateless can be justified from the condition that you have to permit the flow of traffic rules in both the possible directions without any interference. Since the use of NACL is at the subset level of a VPC, there can be situations where a single NACL can be petitioned with more than one subnet.
But the vice versa cannot be attained because each subset has to be associated with only a single NACL. For a better understanding of the use of NACL and security groups, you may give a glance at the AWS documentation.
For instance, we can consider a scenario involving the controlling of traffic from any specific network or a range containing few IP addresses. Such a situation which is comparatively short in length is suitable for the use of NACLs. But if the same scenario would consist of complex rules with respect to the ports and IP addresses involved, then in that case use of security groups would be a better idea.
Specifically, the VPC flow logs are responsible for allowing the users to apprehend the detailed information regarding the traffic concerned with the IP. This traffic finds its path between the network interferences of the VPC of the user.
The working of the flow logs spread up to the areas of VPC, subset, and the instance level. The flow logs feature enables us to shack our data like the network calls to S3 or even the CloudWatch Logs. Once shacked, we can keep a note about the traffic flow. Once you have created your flow log, you can easily retrieve your required data from the desired destination.
Suffice it to say, flow logs consist of your network interfaces, the information regarding the source IP address, the ports both initial and final, and the destination IP address. The flow logs also contain the bytes and the information about the acceptances and rejections.