AWS VPC Deep Dive Part 2: Fortifying Your Cloud Kingdom

Hello cloud enthusiasts!

Last time, we explored the fundamentals of AWS Virtual Private Cloud (VPC) using our real estate analogy. Today, we're diving deeper into how to secure your cloud property with AWS's powerful security tools: Security Groups and Network Access Control Lists (NACLs). I'll also show you how to properly architect applications using private subnets with load balancers.

As someone who's architected countless VPC deployments, I can tell you that security is always the first concern for organizations moving to the cloud. Let's explore how AWS addresses this through its shared responsibility model.

Security in AWS: A Shared Responsibility

When I first started working with AWS, I made a critical mistake. I assumed AWS would handle all security automatically. Big mistake!

AWS operates on what they call a "shared responsibility model." Think of it like this: When you buy a house, the developer builds secure doors and windows, but you're still responsible for locking them and installing an alarm system.

Similarly, AWS provides the security tools (Security Groups, NACLs, API Gateway, etc.), but we as DevOps engineers and AWS admins must configure them properly.

During a recent client engagement, their CIO asked me, "Who's responsible if our data gets compromised in AWS?" My answer: "It depends on how it happens." If AWS's data centers are physically breached, that's on AWS. But if someone accesses your system because you left port 22 open to the world? That's on you.

Let's look at the security layers we can control:

Understanding Security Groups: Your Instance Bodyguards

I like to think of Security Groups as personal bodyguards for each of your EC2 instances. They stand right next to your resources and control who can talk to them.

When you create a Security Group in the AWS console, you'll see two tabs:

1. Inbound Rules
2. Outbound Rules

Inbound Rules: Who Can Approach Your Instance

Inbound rules control who can initiate communication with your instance. For example, if you're running a web server, you might allow:

• HTTP (port 80) from anywhere (0.0.0.0/0)
• HTTPS (port 443) from anywhere (0.0.0.0/0)
• SSH (port 22) only from your office IP (203.0.113.5/32)

Last month, I was troubleshooting why a client's application wasn't working. Turns out, they had allowed web traffic but forgotten to allow their application's custom port. Remember: Security Groups deny everything by default unless explicitly allowed.

Outbound Rules: Where Your Instance Can Go

By default, Security Groups allow all outbound traffic (your instance can talk to anyone). But for extra security, you might want to restrict this.

For example, if your web server only needs to connect to a specific database, you might only allow:

• MySQL (port 3306) to your database's security group
• HTTPS (port 443) to download updates

I once worked with a financial institution that restricted their payment processing servers to communicate only with their database and the payment gateway's specific IP addresses. Nothing else. This significantly reduced their attack surface.

The Stateful Nature of Security Groups

Here's something crucial that many miss: Security Groups are stateful. This means if you allow traffic in, the response traffic is automatically allowed out, regardless of outbound rules.

For example, if you allow HTTP inbound, your web server can send the response back to users without needing an explicit outbound rule.

Network ACLs: Your Subnet's Perimeter Wall

While Security Groups protect individual instances, Network ACLs (NACLs) protect entire subnets. I think of them as the perimeter wall around a neighborhood, controlling who can enter or exit the area.

When setting up NACLs, remember these key differences from Security Groups:

1. NACLs are stateless - you must explicitly allow both inbound and outbound traffic
2. NACLs process rules in numerical order (lowest number first)
3. Rule processing stops at the first match
4. NACLs have both allow and deny rules

Creating Effective NACLs

When I create NACLs, I start with a simple approach:

1. Create a low-numbered rule (like 100) to allow established connections
2. Add specific allow rules (200-800 range)
3. Add specific deny rules for known bad actors (900 range)
4. End with a catch-all deny rule (highest number, usually 32767)

Here's a real example from a recent project:

Inbound Rules:

• 100: Allow established connections (TCP port 1024-65535 from 0.0.0.0/0)
• 200: Allow HTTP (TCP port 80 from 0.0.0.0/0)
• 300: Allow HTTPS (TCP port 443 from 0.0.0.0/0)
• 900: Deny access from known malicious IP (TCP all ports from 198.51.100.0/24)
• 32767: Deny all traffic (All traffic from 0.0.0.0/0)

Outbound Rules:

• 100: Allow established connections (TCP port 1024-65535 to 0.0.0.0/0)
• 200: Allow HTTP (TCP port 80 to 0.0.0.0/0)
• 300: Allow HTTPS (TCP port 443 to 0.0.0.0/0)
• 32767: Deny all traffic (All traffic to 0.0.0.0/0)

Security Groups vs. NACLs: When to Use Each

I've seen many AWS beginners confused about when to use Security Groups versus NACLs. Here's my simple guideline:

Use Security Groups for:

• Instance-level control
• Allowing specific traffic to specific resources
• When you need stateful inspection

Use NACLs for:

• Subnet-level control
• Blocking specific IP ranges (denying traffic)
• Adding a second layer of defense

In my experience, you should always use both. NACLs provide broad subnet protection, while Security Groups provide precise resource-level control.

Architecting with Private Subnets and Load Balancers

Now, let's put this knowledge to work by designing a secure architecture using private subnets and load balancers.

The most secure pattern I've implemented looks like this:

1. Public subnet containing only a load balancer
2. Private subnet containing your application servers
3. Private subnet containing your database

Load Balancer: Your Public Face

The load balancer sits in your public subnet and is the only component directly accessible from the internet. I configure its Security Group to:

• Allow HTTP/HTTPS from anywhere (0.0.0.0/0)
• Allow outbound traffic only to the application servers' Security Group

Application Servers: Secure but Functional

The application servers sit in a private subnet with a Security Group that:

• Allows traffic ONLY from the load balancer's Security Group
• Allows outbound traffic only to the database and for updates

Database: Your Crown Jewels

The database resides in its own private subnet with a Security Group that:

• Allows traffic ONLY from the application servers' Security Group
• Denies all other connections

Step-by-Step: Creating a Secure VPC in AWS Console

Let's walk through creating this setup in AWS. I'll show you exactly how I do it:

1. Create a VPC: Go to VPC Dashboard in AWS Console Click "Create VPC" Name: "Production-VPC" IPv4 CIDR block: 10.0.0.0/16 Click "Create"
2. Create Subnets: Click "Subnets" then "Create subnet" For public subnet: Name: "Public-Subnet-1" VPC: Select "Production-VPC" Availability Zone: us-east-1a IPv4 CIDR block: 10.0.1.0/24 For private application subnet: Name: "Private-App-Subnet-1" VPC: Select "Production-VPC" Availability Zone: us-east-1a IPv4 CIDR block: 10.0.2.0/24 For private database subnet: Name: "Private-DB-Subnet-1" VPC: Select "Production-VPC" Availability Zone: us-east-1a IPv4 CIDR block: 10.0.3.0/24
3. Create Internet Gateway: Click "Internet Gateways" then "Create internet gateway" Name: "Production-IGW" Click "Create" then "Attach to VPC" Select "Production-VPC" and click "Attach"
4. Create Route Tables: Click "Route Tables" then "Create route table" For public route table: Name: "Public-RT" VPC: Select "Production-VPC" Add route: 0.0.0.0/0 target Internet Gateway Associate with Public-Subnet-1 For private route table: Name: "Private-RT" VPC: Select "Production-VPC" Associate with both private subnets
5. Create Security Groups: Click "Security Groups" then "Create security group" For load balancer: Name: "LB-SG" Description: "Load Balancer Security Group" VPC: Select "Production-VPC" Inbound: Allow HTTP/HTTPS from 0.0.0.0/0 Outbound: Allow all For application servers: Name: "App-SG" Description: "Application Servers Security Group" VPC: Select "Production-VPC" Inbound: Allow HTTP/HTTPS from LB-SG Outbound: Allow HTTPS to 0.0.0.0/0, MySQL to DB-SG For database: Name: "DB-SG" Description: "Database Security Group" VPC: Select "Production-VPC" Inbound: Allow MySQL from App-SG Outbound: Allow all
6. Create NACLs: Click "Network ACLs" then "Create network ACL" For public subnet: Name: "Public-NACL" VPC: Select "Production-VPC" Associate with Public-Subnet-1 Inbound: 100: Allow 80, 443 from 0.0.0.0/0 200: Allow 1024-65535 from 0.0.0.0/0 (highest): Deny all traffic Outbound: 100: Allow 80, 443 to 0.0.0.0/0 200: Allow 1024-65535 to 0.0.0.0/0 (highest): Deny all traffic For private subnets: Create similar NACLs but more restrictive
7. Create Load Balancer: Go to EC2 Dashboard Click "Load Balancers" then "Create Load Balancer" Choose "Application Load Balancer" Name: "Production-ALB" Scheme: internet-facing Listeners: HTTP and HTTPS VPC: Select "Production-VPC" Subnets: Select Public-Subnet-1 Security Groups: Select LB-SG Configure routing to your target group of EC2 instances

Real-World Scenario: Blocking Malicious Traffic

Last month, I noticed suspicious traffic hitting one of our web applications from a specific IP range. Here's what I did:

1. Identified the malicious IP range (203.0.113.0/24)
2. Added a NACL rule to our public subnet: Rule #900 (high priority, but before the catch-all) Deny all traffic from 203.0.113.0/24
3. Kept monitoring logs to ensure blocking was effective

This approach was much more efficient than adding deny rules to each Security Group individually.

Common Mistakes to Avoid

From years of building VPCs, here are the most common security mistakes I see:

1. Using only Security Groups or only NACLs - Use both for defense in depth
2. Forgetting the stateless nature of NACLs - You need both inbound and outbound rules
3. Making Security Groups too permissive - Follow the principle of least privilege
4. Not logging and monitoring - Enable VPC Flow Logs to see what traffic is being allowed/denied
5. Hardcoding IPs in Security Groups - Reference other Security Groups where possible

Conclusion: Defense in Depth

The key takeaway I want you to remember is that AWS security works best in layers. By combining Security Groups and NACLs, placing resources in private subnets, and using load balancers as controlled entry points, you create multiple security barriers that attackers must overcome.

Got questions about securing your VPC? I'd love to hear from you! Drop me an email or comment below.

Happy clouding!