{"id":25366,"date":"2017-05-22T18:57:24","date_gmt":"2017-05-22T18:57:24","guid":{"rendered":"https:\/\/www.whizlabs.com\/?p=25366"},"modified":"2024-05-22T11:22:50","modified_gmt":"2024-05-22T05:52:50","slug":"aws-connectivity-vpc","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/aws-connectivity-vpc\/","title":{"rendered":"How to Improve Connectivity and Secure your VPC Resources?"},"content":{"rendered":"<p style=\"text-align: justify;\"><span lang=\"EN-US\">Are you preparing for\u00a0<\/span><a href=\"https:\/\/www.whizlabs.com\/blog\/aws-sysops-certification\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">AWS Certified SysOps Administrator \u2013 Associate certification exam<\/span><\/a><span lang=\"EN-US\">? \u00a0Are you ready to pass this <a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/\" target=\"_blank\" rel=\"noopener\">AWS associate<\/a> exam? In this blog, we are writing a series of articles on topics which are covered in the AWS Certified SysOps Associate certification exam. You can subscribe to us for receiving further updates on this topic.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">The SysOps Associate certification exam is the hardest exam at the associate certification level. We would recommend you pass both the\u00a0<a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/\" target=\"_blank\" rel=\"noopener\"><span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;aws associate architect certification&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:12417,&quot;3&quot;:{&quot;1&quot;:1},&quot;10&quot;:2,&quot;15&quot;:&quot;Calibri&quot;,&quot;16&quot;:11}\">AWS associate architect certification<\/span><\/a> exam and developer associated certification exam first before of taking this exam.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">The <a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/\" target=\"_blank\" rel=\"noopener\">AWS Certified SysOps Administrator<\/a> \u2013 Associate exam validates technical expertise in deployment, management, and operations on the AWS platform<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li>\n<blockquote><p><em><a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/practice-tests\/\" target=\"_blank\" rel=\"noopener follow noreferrer\" data-wpel-link=\"internal\">SysOps Administrator Associate Practice Questions<\/a><\/em><\/p><\/blockquote>\n<\/li>\n<li>\n<blockquote><p><em><a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/free-test\/\" target=\"_blank\" rel=\"noopener follow noreferrer\" data-wpel-link=\"internal\">Free Questions for SysOps Administrator Associate<\/a><\/em><\/p><\/blockquote>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><strong><span lang=\"EN-US\">The AWS Certified SysOps Administrator \u2013 Associate Level exam validates the candidate\u2019s ability to:<\/span><\/strong><\/p>\n<ul style=\"text-align: justify;\" type=\"disc\">\n<li><span lang=\"EN-US\">Deliver the stability and scalability needed by a business on AWS<\/span><\/li>\n<li><span lang=\"EN-US\">Provision systems,\u00a0services, and deployment automation on AWS<\/span><\/li>\n<li><span lang=\"EN-US\">Ensure data integrity and data security on AWS technology<\/span><\/li>\n<li><span lang=\"EN-US\">Provide guidance on AWS best practices<\/span><\/li>\n<li><span lang=\"EN-US\">Understand and monitor metrics on AWS<\/span><\/li>\n<\/ul>\n<div style=\"text-align: justify;\">\n<figure id=\"attachment_23164\" aria-describedby=\"caption-attachment-23164\" style=\"width: 654px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure0_SysOpsBlueprint-3.png\"><img decoding=\"async\" class=\"size-full wp-image-23164\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/Figure0_SysOpsBlueprint-3.png\" alt=\"Domains covered at the AWS Certified SysOps associate exam\" width=\"654\" height=\"545\" \/><\/a><figcaption id=\"caption-attachment-23164\" class=\"wp-caption-text\">Domains covered at the AWS Certified SysOps associate exam<\/figcaption><\/figure>\n<\/div>\n<p style=\"text-align: justify;\" align=\"center\"><b><i><span lang=\"EN-US\">Figure #0. \u00a0Domains covered\u00a0by\u00a0the AWS Certified SysOps associate exam<\/span><\/i><\/b><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">You can download the related\u00a0<\/span><a href=\"http:\/\/awstrainingandcertification.s3.amazonaws.com\/production\/AWS_certified_sysops_associate_blueprint.pdf\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">AWS Certified SysOps Administrator \u2013 Associate Level Exam Blueprint<\/span><\/a><span lang=\"EN-US\">\u00a0for more detail about it.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">In this article, we are going to explain about the topic that addresses the \u201cdemonstrate the ability to implement networking features of AWS\u201d as highlighted in the AWS Blueprint from the above exam guide.<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ea7e02;color:#ea7e02\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ea7e02;color:#ea7e02\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-connectivity-vpc\/#Context\" >Context<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-connectivity-vpc\/#What_is_Amazon_VPC\" >What is Amazon VPC?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-connectivity-vpc\/#What_are_the_components_of_Amazon_VPC\" >What are the components of Amazon VPC?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-connectivity-vpc\/#Accessing_the_Internet\" >Accessing the Internet<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-connectivity-vpc\/#Securing_the_access_to_your_VPC_resources\" >Securing the access to your VPC resources<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-connectivity-vpc\/#Differences_between_Security_Groups_and_NACLs\" >Differences between Security Groups and NACLs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-connectivity-vpc\/#How_to_modify_Network_Access_Controls_NACLs\" >How to modify Network Access Controls (NACLs)?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-connectivity-vpc\/#_Important_Points_to_Remember_for_the_AWS_Certified_SysOps_Administrator_%E2%80%93_Associate_Certification_exam\" >\u00a0Important Points to Remember for the AWS Certified SysOps Administrator \u2013 Associate Certification exam<\/a><\/li><\/ul><\/nav><\/div>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Context\"><\/span><span lang=\"EN-US\">Context<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">The Cloud computing provides agility for organizations. It mays increase users&#8217; flexibility with re-provisioning, adding, or expanding technological infrastructure resources<\/span> fast. Also, it could contribute to cost reductions.<\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources which can be rapidly provisioned and released with minimal management effort.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">You could provision a logically isolated section of the Amazon Web Services cloud where you can launch infrastructure resources and services in a virtual network that you define, like your corporate datacenter network. You have complete control over your virtual networking environment, it is called a Virtual Private Cloud (VPC).<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"What_is_Amazon_VPC\"><\/span><span lang=\"EN-US\">What is Amazon VPC?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\"><a href=\"https:\/\/www.whizlabs.com\/blog\/aws-vpc\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Virtual Private Cloud (Amazon VPC)<\/a> enables you to launch Amazon Web Services (AWS) resources into a virtual network that you&#8217;ve defined, with the benefits of using the scalable infrastructure of AWS.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">You can create a VPC quickly and easily using the AWS Management Console.<\/span> <span lang=\"EN-US\">You can instantly scale your resources up or down, select Amazon EC2 instances types and sizes that are right for your applications, and pay only for the resources you use.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">A variety of connectivity options exist for your Amazon Virtual Private Cloud:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li><i><span lang=\"EN-US\">Connect directly to the Internet<\/span><\/i><span lang=\"EN-US\"> (public subnets): You can launch instances into a publicly accessible subnet where they can send and receive traffic from the Internet.<\/span><\/li>\n<li><i><span lang=\"EN-US\">Connect to the Internet using Network Address Translation<\/span><\/i><span lang=\"EN-US\"> (private subnets)\u2013 Private subnets can be used for instances that you do not want to be directly addressable from the Internet. Instances in a private subnet can access the Internet without exposing their private IP address by routing their traffic through a Network Address Translation (NAT) gateway in a public subnet.<\/span><\/li>\n<li><i><span lang=\"EN-US\">Connect securely to your corporate datacenter<\/span><\/i><span lang=\"EN-US\">: All traffic to and from instances in your VPC can be routed to your corporate datacenter over an industry standard, encrypted IPsec hardware VPN connection.<\/span><\/li>\n<li><i><span lang=\"EN-US\">Connect privately to other VPCs<\/span><\/i><span lang=\"EN-US\">: Peer VPCs together to share resources across multiple virtual networks owned by your or other AWS accounts.<\/span><\/li>\n<li><i><span lang=\"EN-US\">Connect to Amazon S3<\/span><\/i><span lang=\"EN-US\"> without using an internet gateway or NAT, and control what resources, requests, or users are allowed through a <i>VPC endpoint<\/i>.<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">Combine connectivity methods to match the needs of your application\u2013 You can connect your VPC to both the Internet and your corporate datacenter and configure Amazon VPC route tables to direct all traffic to its proper destination.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"What_are_the_components_of_Amazon_VPC\"><\/span><span lang=\"EN-US\">What are the components of Amazon VPC?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">Amazon VPC comprises a variety of components like the existing networks at your datacenter:<\/span><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"150\"><b><span lang=\"EN-US\">Element<\/span><\/b><\/td>\n<td valign=\"top\" width=\"474\"><b><span lang=\"EN-US\">Brief description<\/span><\/b><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\"><i><span lang=\"EN-US\">Virtual Private Cloud (VPC)<\/span><\/i><\/td>\n<td valign=\"top\" width=\"474\"><span lang=\"EN-US\"><span lang=\"EN-US\">A logically isolated virtual network in the AWS cloud. You define a VPC\u2019s IP address space from a range you select.<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\"><i><span lang=\"EN-US\">Subnet<\/span><\/i><\/td>\n<td valign=\"top\" width=\"474\"><span lang=\"EN-US\"><span lang=\"EN-US\">A segment of a VPC\u2019s IP address range where you can place groups of isolated resources.<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\"><i><span lang=\"EN-US\">Internet Gateway<\/span><\/i><\/td>\n<td valign=\"top\" width=\"474\"><span lang=\"EN-US\"><span lang=\"EN-US\">The Amazon VPC side of a connection to the public Internet.<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\"><i><span lang=\"EN-US\">NAT Gateway<\/span><\/i><\/td>\n<td valign=\"top\" width=\"474\"><span lang=\"EN-US\"><span lang=\"EN-US\">A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\"><i><span lang=\"EN-US\">Hardware VPN Connection<\/span><\/i><\/td>\n<td valign=\"top\" width=\"474\"><span lang=\"EN-US\"><span lang=\"EN-US\">A hardware-based VPN connection between your Amazon VPC and your datacenter, home network, or co-location facility.<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\"><i><span lang=\"EN-US\">Virtual Private Gateway<\/span><\/i><\/td>\n<td valign=\"top\" width=\"474\"><span lang=\"EN-US\"><span lang=\"EN-US\">The Amazon VPC side of a VPN connection. The Customer gateway is the customer side of a VPN connection.<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\"><i><span lang=\"EN-US\">Peering Connection<\/span><\/i><\/td>\n<td valign=\"top\" width=\"474\"><span lang=\"EN-US\"><span lang=\"EN-US\">A peering connection enables you to route traffic via private IP addresses between two peered VPCs<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"150\"><i><span lang=\"EN-US\">VPC Endpoint<\/span><\/i><\/td>\n<td valign=\"top\" width=\"474\"><span lang=\"EN-US\"><span lang=\"EN-US\">Enables Amazon S3 access from within your VPC without using an Internet gateway or NAT, and allows you to control the access using VPC endpoint policies.<\/span><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify;\" align=\"center\"><b><i><span lang=\"EN-US\">Table #1. VPC relevant concepts<\/span><\/i><\/b><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">Your AWS resources are automatically provisioned in a ready-to-use <i>default VPC<\/i>. You can choose to create additional VPCs by going to the Amazon VPC page in the AWS Management Console and selecting &#8220;<i>Start VPC Wizard<\/i>&#8220;, as follow:<\/span><\/p>\n<figure id=\"attachment_26805\" aria-describedby=\"caption-attachment-26805\" style=\"width: 1557px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/vpcWizard.png\"><img decoding=\"async\" class=\"size-full wp-image-26805\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/vpcWizard.png\" alt=\"Getting started with the VPC Wizard\" width=\"1557\" height=\"585\" \/><\/a><figcaption id=\"caption-attachment-26805\" class=\"wp-caption-text\">Getting started with the VPC Wizard<\/figcaption><\/figure>\n<p style=\"text-align: justify;\" align=\"center\"><b><i><span lang=\"EN-US\">Figure #1. Getting started with the VPC Wizard<\/span><\/i><\/b><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">You can modify the VPC to add more subnets or add or remove gateways at any time after the VPC has been created. You\u2019ll be presented with the following four basic options for network architectures:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li><span lang=\"EN-US\">VPC with a Single Public Subnet Only<\/span><\/li>\n<li><span lang=\"EN-US\">VPC with Public and Private Subnets<\/span><\/li>\n<li><span lang=\"EN-US\">VPC with Public and Private Subnets and Hardware VPN Access<\/span><\/li>\n<li><span lang=\"EN-US\">VPC with a Private Subnet Only and Hardware VPN Access<\/span><\/li>\n<\/ul>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Accessing_the_Internet\"><\/span><span lang=\"EN-US\">Accessing the Internet<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">Amazon VPC supports the creation of an Internet gateway. This gateway enables Amazon EC2 instances in the VPC to directly access the Internet.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">You can use public IP addresses, including Elastic IP addresses (EIPs), to give instances in the VPC the ability to both directly communicate outbound to the Internet and to receive unsolicited inbound traffic from the Internet. EC2 instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet. Also, you may use a third-party software VPN to create a site to site or remote access VPN connection with your VPC via the Internet gateway.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Securing_the_access_to_your_VPC_resources\"><\/span><span lang=\"EN-US\">Securing the access to your VPC resources<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">Amazon VPC provides advanced security features such as security groups and network access control lists to enable inbound and outbound filtering at the instance level and subnet level.<br \/>\nAmazon VPC provides features that you can use to increase and monitor the security for your VPC:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li><b><span lang=\"EN-US\">Security groups<\/span><\/b><span lang=\"EN-US\">: Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level<\/span><\/li>\n<li><b><span lang=\"EN-US\">Network access control lists (ACLs)<\/span><\/b><span lang=\"EN-US\">: Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level<\/span><\/li>\n<li><b><span lang=\"EN-US\">Flow logs:<\/span><\/b><span lang=\"EN-US\"> Capture information about the IP traffic going to and from network interfaces in your VPC<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_26806\" aria-describedby=\"caption-attachment-26806\" style=\"width: 472px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/vpcSecurityDiagram.png\"><img decoding=\"async\" class=\"size-full wp-image-26806\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/vpcSecurityDiagram.png\" alt=\"Layers of security provided by security groups and network ACLs\" width=\"472\" height=\"506\" \/><\/a><figcaption id=\"caption-attachment-26806\" class=\"wp-caption-text\">Layers of security provided by security groups and network ACLs<\/figcaption><\/figure>\n<p style=\"text-align: justify;\" align=\"center\"><b><i><span lang=\"EN-US\">Figure #2. Layers of security provided by security groups and network ACLs<\/span><\/i><\/b><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Differences_between_Security_Groups_and_NACLs\"><\/span><span lang=\"EN-US\">Differences between Security Groups and NACLs<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. If you don&#8217;t specify a group at launch time, the instance is automatically assigned to the default security group for the VPC. For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. The following table illustrates the differences between both security topics:<\/span><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"312\"><b><span lang=\"EN-US\">Security Groups<\/span><\/b><\/td>\n<td valign=\"top\" width=\"312\"><b><span lang=\"EN-US\">Network ACLs<\/span><\/b><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"312\"><span lang=\"EN-US\">Stateful:<\/span> <span lang=\"EN-US\">Return traffic is automatically allowed, regardless of any rules<\/span><\/td>\n<td valign=\"top\" width=\"312\"><span lang=\"EN-US\"><span lang=\"EN-US\">Stateless: Return traffic must be explicitly allowed by rules<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"312\"><span lang=\"EN-US\">Operates at the instance level<\/span><\/td>\n<td valign=\"top\" width=\"312\"><span lang=\"EN-US\">Operates at the subnet level,<\/span> <span lang=\"EN-US\"><span lang=\"EN-US\">automatically applies to all instances in the subnets<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"312\"><span lang=\"EN-US\">Supports allow rules only<\/span><\/td>\n<td valign=\"top\" width=\"312\"><span lang=\"EN-US\"><span lang=\"EN-US\">Supports allow rules and deny rules<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"312\"><span lang=\"EN-US\">All rules are evaluated before deciding whether to allow traffic<\/span><\/td>\n<td valign=\"top\" width=\"312\"><span lang=\"EN-US\">Rules are evaluated in number order when deciding whether to allow traffic<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify;\" align=\"center\"><b><i><span lang=\"EN-US\">Table #2. Differences between Security Groups and NACLs<\/span><\/i><\/b><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">As the AWS Shared Responsibility Model is established, the AWS subscriber is the responsible and required to EC2 security using security groups and network ACLs. <\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"How_to_modify_Network_Access_Controls_NACLs\"><\/span><span lang=\"EN-US\">How to modify Network Access Controls (NACLs)?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\">A network ACL contains a numbered list of rules that we evaluate in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.<\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">A network ACL has separate inbound and outbound rules, and each rule can either <i>allow or deny traffic<\/i>.<\/span> <span lang=\"EN-US\">You can specify any protocol that has a standard protocol number.<\/span><\/p>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">\u00a0<\/span><\/p>\n<figure id=\"attachment_26807\" aria-describedby=\"caption-attachment-26807\" style=\"width: 1600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/ModifyingNACLs.png\"><img decoding=\"async\" class=\"size-full wp-image-26807\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/05\/ModifyingNACLs.png\" alt=\"Modifying rules into a Network ACL\" width=\"1600\" height=\"719\" \/><\/a><figcaption id=\"caption-attachment-26807\" class=\"wp-caption-text\">Modifying rules into a Network ACL<\/figcaption><\/figure>\n<p style=\"text-align: justify;\" align=\"center\"><b><i><span lang=\"EN-US\">Figure #3. Modifying rules into a Network ACL<\/span><\/i><\/b><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"_Important_Points_to_Remember_for_the_AWS_Certified_SysOps_Administrator_%E2%80%93_Associate_Certification_exam\"><\/span><span lang=\"EN-US\">\u00a0<\/span>Important Points to Remember for the AWS Certified SysOps Administrator \u2013 Associate Certification exam<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul style=\"text-align: justify;\" type=\"disc\">\n<li><span lang=\"EN-US\">Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network defined.<b><\/b><\/span><\/li>\n<li><span lang=\"EN-US\">There are no additional charges for creating and using the VPC, you pay only for the resources you use into a VPC<\/span><\/li>\n<li><span lang=\"EN-US\">EC2 instances in a private subnet can access by routing their traffic through a Network Address Translation (NAT) gateway located into a public subnet<\/span><\/li>\n<li><span lang=\"EN-US\">EC2 instances in a public subnet can browse the internet using an Internet gateway<\/span><\/li>\n<li><span lang=\"EN-US\">A network ACL allows communication between different subnets, supporting allow rules and deny rules<\/span><\/li>\n<li><span lang=\"EN-US\">The network ACL rules are evaluated in number order when deciding whether to allow traffic<\/span><\/li>\n<li><span lang=\"EN-US\">A security group allows communication between EC2 instances into a specific protocol\/port<\/span><\/li>\n<li><span lang=\"EN-US\">Stateful filtering tracks the origin of a request and can automatically allow the reply to the request to be returned to the originating computer<\/span><\/li>\n<li><span lang=\"EN-US\">Traffic which is not explicitly allowed to or from an instance is automatically denied<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">\u00a0<\/span><b><span lang=\"EN-US\">Glossary<\/span><\/b><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Term<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><b><span lang=\"EN-US\">Brief description<\/span><\/b><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">VPC<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">Virtual private cloud. An elastic network populated by infrastructure, platform, and application services that share common security and interconnection.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Subnet<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\"><span lang=\"EN-US\">It is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select.<br \/>\nUse a <i>public subnet<\/i> for resources that must be connected to the Internet, and a <i>private subnet<\/i> for resources that won&#8217;t be connected to the Internet.<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Route table <\/span><\/b><b><span lang=\"EN-US\">\u00a0<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\"><span lang=\"EN-US\">A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. You can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time.<\/span><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Security Group<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">A named set of allowed inbound network connections for an instance. (Security groups in Amazon VPC also include support for outbound connections.) Each security group consists of a list of protocols, ports, and IP address ranges. A security group can apply to multiple instances, and multiple groups can regulate a single instance.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Network ACL<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">An optional layer of security that acts as a firewall for controlling traffic in and out of a subnet. You can associate multiple subnets with a single network ACL, but a subnet can be associated with only one network ACL at a time.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">Internet gateway <\/span><\/b><b><span lang=\"EN-US\">\u00a0<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">Connects a network to the Internet. You can route traffic for IP addresses outside your VPC to the Internet gateway.<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"107\"><b><span lang=\"EN-US\">NAT gateway <\/span><\/b><b><span lang=\"EN-US\">\u00a0<\/span><\/b><\/td>\n<td valign=\"top\" width=\"515\"><span lang=\"EN-US\">A NAT device, managed by AWS, that performs network address translation in a private subnet, to secure inbound Internet traffic. A NAT gateway uses both NAT and port address translation.<\/span><span lang=\"EN-US\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<blockquote><p><b><span lang=\"EN-US\">Don\u2019t MISS IT :\u00a0<\/span><\/b><a title=\"AWS Certified SysOps Administrator Associate \u2013 Practice Tests\" href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/practice-tests\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span lang=\"EN-US\">420 Practice Questions for SysOps Administrator\u00a0Exam (50% Discount)<\/span><\/a><b><span lang=\"EN-US\"><br \/>\n<\/span><\/b><\/p><\/blockquote>\n<h4 style=\"text-align: justify;\"><b><span lang=\"EN-US\">Summary<\/span><\/b><\/h4>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">In this article, we have explained about the security and connectivity options provided by the Amazon Virtual Private Cloud at networking level, discussing differences between security groups and network ACLs and describing core elements located into a VPC.<\/span><\/p>\n<h4 style=\"text-align: justify;\"><b><span lang=\"EN-US\">References:<\/span><\/b><\/h4>\n<p style=\"text-align: justify;\"><span lang=\"EN-US\">[1] Amazon VPC FAQs. Amazon AWS.\u00a0<\/span><span lang=\"EN-US\">https:\/\/aws.amazon.com\/vpc\/faqs<\/span><span lang=\"EN-US\"><br \/>\n[2] Amazon VPC Documentation. Amazon AWS.\u00a0<\/span><span lang=\"EN-US\">https:\/\/aws.amazon.com\/documentation\/vpc<\/span><span lang=\"EN-US\"><br \/>\n[3] <a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/\" target=\"_blank\" rel=\"noopener\">AWS SysOps Administrator<\/a> \u2013 Associate Certification. <\/span><span lang=\"EN-US\">https:\/\/aws.amazon.com\/certification\/certified-sysops-admin-associate\/<\/span><span style=\"text-decoration: underline;\"><span lang=\"EN-US\"><br \/>\n<\/span><\/span><span lang=\"EN-US\">[4] AWS Glossary. Amazon AWS. <\/span><span style=\"text-decoration: underline;\"><span lang=\"EN-US\">http:\/\/docs.aws.amazon.com\/general\/latest\/gr\/glos-chap.html<\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Are you preparing for\u00a0AWS Certified SysOps Administrator \u2013 Associate certification exam? \u00a0Are you ready to pass this AWS associate exam? In this blog, we are writing a series of articles on topics which are covered in the AWS Certified SysOps Associate certification exam. You can subscribe to us for receiving further updates on this topic. The SysOps Associate certification exam is the hardest exam at the associate certification level. We would recommend you pass both the\u00a0AWS associate architect certification exam and developer associated certification exam first before of taking this exam. The AWS Certified SysOps Administrator \u2013 Associate exam validates [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":67914,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[3942,3944,241,3955,1501,1585],"class_list":["post-25366","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-certifications","tag-aws-associate","tag-aws-associate-architect-certification","tag-aws-certified-sysops-administrator","tag-aws-sysops-administrator","tag-subnet","tag-vpc"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",725,282,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops-150x150.jpg",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops-300x117.jpg",300,117,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",725,282,false],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",725,282,false],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",725,282,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",725,282,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",24,9,false],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",48,19,false],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",96,37,false],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",150,58,false],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",300,117,false],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops-250x250.jpg",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",640,249,false],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",96,37,false],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2017\/05\/aws-vpc-resources-sysops.jpg",150,58,false]},"uagb_author_info":{"display_name":"Pavan Gumaste","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/pavan\/"},"uagb_comment_info":0,"uagb_excerpt":"Are you preparing for\u00a0AWS Certified SysOps Administrator \u2013 Associate certification exam? \u00a0Are you ready to pass this AWS associate exam? In this blog, we are writing a series of articles on topics which are covered in the AWS Certified SysOps Associate certification exam. You can subscribe to us for receiving further updates on this topic.&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/25366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=25366"}],"version-history":[{"count":4,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/25366\/revisions"}],"predecessor-version":[{"id":96466,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/25366\/revisions\/96466"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/67914"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=25366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=25366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=25366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}