Subnets and Network Access Control Lists (NACLs)

Welcome back to "Tech for PMs Unplugged!" In this edition, we’ll explore subnets and network access control lists (NACLs) within Amazon Virtual Private Cloud (VPC). These concepts are vital for managing network traffic, securing your applications, and ensuring seamless communication within your AWS environment.

What Are Subnets?

A subnet, or subnetwork, is a segment of a VPC's IP address range where you can place groups of isolated resources. Subnets are crucial for organizing and securing your VPC. Think of a subnet as a neighborhood within a city (your VPC), where each neighborhood has its own rules and security measures.

Types of Subnets

Public Subnet: A subnet that is directly accessible from the internet. It typically contains resources like web servers that need to be publicly accessible.

• Example: Your company’s website server resides in a public subnet so customers can access it from anywhere in the world.

Private Subnet: A subnet that is not accessible from the internet. It usually hosts databases or application servers that need to communicate privately.

• Example: Your customer database is in a private subnet to protect sensitive data from direct internet exposure.

Network Traffic in a VPC

Within a VPC, network traffic flows between instances, subnets, and internet gateways. Managing this traffic ensures security and efficiency.

Network Access Control Lists (NACLs)

NACLs are used to control inbound and outbound traffic to and from a subnet. They act as a security layer for your subnets by allowing or denying traffic based on a set of rules.

Stateless Packet Filtering: NACLs use stateless filtering, meaning they evaluate each packet of data individually. They don't keep track of the state of connections, so both inbound and outbound rules must be explicitly set.

• Example: If you allow HTTP traffic into your subnet, you must also explicitly allow the outbound HTTP responses.

Security Groups vs. NACLs

While NACLs provide security at the subnet level, security groups provide security at the instance level.

Security Groups: These are virtual firewalls for your EC2 instances to control inbound and outbound traffic. Security groups use stateful packet filtering.

• Stateful Packet Filtering: Security groups remember the state of the connection. If an inbound rule allows traffic, the response is automatically allowed.

How They Work Together

Example Scenario: Your VPC has both a web server and a database server. You want the web server to be publicly accessible but the database server to be private and only accessible by the web server.

Subnet Configuration:

• Public Subnet: Place the web server here.
• Private Subnet: Place the database server here.

NACL Configuration:

• Public Subnet NACL: Allow inbound HTTP/HTTPS traffic from the internet and allow outbound traffic to the internet.
• Private Subnet NACL: Allow inbound traffic only from the public subnet (web server) and outbound responses to the public subnet.

Security Group Configuration:

• Web Server Security Group: Allow inbound HTTP/HTTPS traffic and SSH access from a specific IP range (for administration), and allow all outbound traffic.
• Database Server Security Group: Allow inbound traffic only from the web server’s security group, and allow all outbound traffic.

By configuring your VPC with subnets, NACLs, and security groups, you create a multi-layered security model. This ensures that only necessary traffic reaches your instances and sensitive data remains protected.

Example Use Case

E-commerce Application:

• Public Subnet: Hosts the web servers that customers interact with.
• Private Subnet: Hosts the backend database and application servers that process orders and store customer information.
• NACLs and Security Groups: Control and restrict traffic flow between the public-facing web servers and the private backend servers, ensuring both security and efficiency.

Understanding and properly configuring subnets, NACLs, and security groups are crucial steps in building a secure and efficient AWS infrastructure. They help you manage network traffic, enforce security policies, and protect sensitive data from unauthorized access.

Stay tuned for our next edition, where we’ll dive deeper into AWS networking and security!