6. VPC Part‐2 (Security Group Vs NACL & Egress Only Internet Gateway) - suryav1012/surya-aws-notes GitHub Wiki

image

Security Groups and Network Access Control Lists (NACLs) are both key components of managing network security in Amazon Web Services (AWS) Virtual Private Cloud (VPC). They serve different purposes and operate at different levels within the VPC.

1. Security Groups

  • Purpose: Security Groups act as virtual firewalls for your instances to control inbound and outbound traffic. They are used to define the allowed traffic based on rules that you specify.
  • Level: Operates at the instance level (Elastic Network Interface level).
  • Stateful: Security Groups are stateful, meaning if you allow an incoming request, the response is automatically allowed without the need for an explicit outbound rule.
  • Rules:
    • Inbound Rules: Control the incoming traffic to your instances. For example, you can allow HTTP traffic on port 80 from any IP address.
    • Outbound Rules: Control the outgoing traffic from your instances. By default, all outbound traffic is allowed.
  • Use Cases: Security Groups are typically used to control access to specific instances, allowing only certain IP addresses or ranges to communicate with the instances over specified protocols and ports.

2. Network Access Control Lists (NACLs)

  • Purpose: NACLs provide an additional layer of security at the subnet level, controlling traffic entering and leaving a subnet within your VPC.
  • Level: Operates at the subnet level.
  • Stateless: NACLs are stateless, meaning if you allow an inbound request, you must explicitly allow the outbound response traffic.
  • Rules:
    • Inbound Rules: Control the incoming traffic to the subnet.
    • Outbound Rules: Control the outgoing traffic from the subnet.
    • Rule Order: NACLs evaluate rules in order, starting with the lowest numbered rule. As soon as a rule matches the traffic, it's applied, and no further rules are evaluated.
  • Default Behavior: By default, a new NACL allows all inbound and outbound traffic. You can modify these rules to deny or allow traffic as needed.
  • Use Cases: NACLs are often used for adding an extra layer of security to a subnet, especially for controlling traffic between subnets within a VPC.

Key Differences:

  • Scope: Security Groups operate at the instance level, while NACLs operate at the subnet level.
  • Statefulness: Security Groups are stateful, while NACLs are stateless.
  • Application: Security Groups are used for controlling traffic to/from instances, whereas NACLs are used for controlling traffic at the subnet boundary.

When to Use Each:

  • Security Groups: Use when you need to control traffic directly to and from your EC2 instances. It's suitable for applications where you want to enforce security policies at the instance level.
  • NACLs: Use when you need to control traffic at the subnet level, especially when you want to apply rules across multiple instances within a subnet or between subnets.

These tools can be used together to provide a comprehensive security posture within your AWS VPC.

Egress-Only Internet Gateway:

An Egress-Only Internet Gateway is a specific type of gateway used in an Amazon Virtual Private Cloud (VPC) to provide outbound-only internet access for resources located in a VPC with IPv6 addresses. It allows instances to initiate connections to the internet, but it blocks any inbound traffic from the internet, providing a layer of security.

Key Points:

1.	IPv6 Support: The Egress-Only Internet Gateway is designed specifically for IPv6 traffic. Unlike IPv4, where a NAT Gateway or NAT instance is typically used for private instances to communicate with the internet, IPv6 uses this egress-only gateway for similar functionality.
2.	Outbound-Only Access: It allows resources in the VPC to make outbound connections to the internet but blocks any incoming connections from external sources. This ensures that the resources remain protected from unsolicited inbound traffic.
3.	Use Cases:
•	When you want to enable IPv6 instances in a private subnet to access the internet for updates, patches, or external data without exposing them to direct inbound internet traffic.
•	For securing environments where outbound internet communication is needed, but inbound connections should be restricted.
4.	Alternative to NAT Gateway: In an IPv4 VPC setup, a NAT Gateway or NAT instance is used for instances in private subnets to connect to the internet. For IPv6 traffic, the Egress-Only Internet Gateway serves a similar purpose but is specifically designed for handling IPv6 traffic.

How It Works:

•	When an instance with an IPv6 address in a VPC needs to access the internet, it sends outbound traffic through the Egress-Only Internet Gateway.
•	The gateway allows the instance’s outbound traffic to pass through, while any inbound traffic from the internet is blocked.

In summary, an Egress-Only Internet Gateway is essential for managing secure outbound internet access in an IPv6-based VPC setup, allowing outbound communication while preventing any inbound traffic.

In AWS, VPC Endpoints, Network Gateways, and Internet Gateways are different networking components used to control and manage traffic in a Virtual Private Cloud (VPC). Each serves a specific purpose in handling how resources communicate both internally and externally. Here’s an overview of each:

  1. VPC Endpoints

    • Purpose: VPC Endpoints allow you to connect to AWS services privately within the AWS network, without using the public internet. • Types: • Interface Endpoint: Uses an Elastic Network Interface (ENI) in your VPC with a private IP address, enabling connections to supported AWS services. These endpoints are used for services like S3, DynamoDB, Lambda, etc. • Gateway Endpoint: Only for S3 and DynamoDB. It creates a route entry in your route table to send traffic destined for these services through the gateway endpoint. • Use Cases: • When you want to securely access AWS services from your VPC without exposing the traffic to the internet. • Reduces the need for NAT Gateways or Internet Gateways for accessing specific AWS services.

  2. Internet Gateway

    • Purpose: Provides a connection between the VPC and the public internet, allowing resources like EC2 instances to access the internet. • Characteristics: • Supports both inbound and outbound internet traffic. • Must be attached to the VPC and associated with a public IP address (Elastic IP or instance’s public IP) for instances to communicate with the internet. • Needed for instances in public subnets to access or be accessed from the internet. • Use Cases: • When you want instances to have direct access to the internet (e.g., to download updates or host web applications). • Allows users outside the VPC to access resources, such as web servers, hosted in the VPC.

  3. Network Gateway

Network gateways are more specialized, and there are a few types in AWS:

•	NAT Gateway (Network Address Translation Gateway):
•	Purpose: Allows instances in a private subnet to access the internet while blocking inbound traffic from the internet.
•	Characteristics:
•	Used for instances that don’t have public IP addresses but need outbound internet connectivity (e.g., to download patches or software).
•	Traffic is translated from the private IP address of the instance to a public IP address assigned to the NAT Gateway.
•	Use Cases:
•	Ideal for scenarios where resources require outbound internet access for updates but should not be accessible from the internet directly.
•	Virtual Private Gateway:
•	Purpose: Connects a VPC to an on-premises network via a VPN connection.
•	Use Cases:
•	Enables secure communication between AWS resources in the VPC and on-premises data centers.
•	Egress-Only Internet Gateway:
•	Purpose: Provides outbound-only internet access for IPv6 traffic.
•	Use Cases:
•	Used for VPCs with IPv6 traffic that need to connect to the internet but should block any inbound traffic.

Summary Comparison

Feature VPC Endpoint Internet Gateway Network Gateway (NAT, VPN) Use Case Private access to AWS services Internet access Private-to-public access (NAT), on-premises connectivity (VPN) Internet Exposure No Yes (for public subnets) Yes (outbound for NAT), No for VPN Traffic Type AWS service traffic Inbound and outbound Outbound (NAT), Site-to-Site (VPN) Supported Protocols TCP/UDP (Interface Endpoint) All (IP-based traffic) TCP/UDP (NAT), IPsec (VPN) Use with Private Subnets Yes No Yes (NAT)

These components serve distinct roles in VPC networking, offering different ways to control how resources communicate within AWS and with external networks.