What is the difference between network ACL vs security group?
I am currently engaged in a particular task which is related to designing the security Architecture for a particular cloud-based application. This application consists of multiple microservices deployed on AWS EC2 instances. Every microservices communicates with others within the application and with external services. How can I use the network ACLs and security Group to ensure secure communications within the application and with the service?
In the context of AWS, you can ensure secure communications within the application and with External services in a particular AWS environment by using the network ACLs and security groups by using these approaches:-
Network ACLs
You can use it at the subnet level to control inbound and outbound traffic. It would allow you specific ports for communication within the subnet. For External communication, it would allow you specific ports required for the external ports. It would deny all the inbound and outbound traffic by default so that it can enforce a least privilege principle.
Here is an example of it by using the AWS CLI:-
# Allow inbound traffic within the subnet for microservices communication
Aws ec2 create-network-acl-entry –network-acl-id acl-12345678 –rule-number 100 –protocol tcp –port-range From=3000,To=4000 –cidr-block 10.0.1.0/24 –rule-action allow
# Allow outbound traffic for HTTP communication
Aws ec2 create-network-acl-entry –network-acl-id acl-12345678 –rule-number 200 –protocol tcp –port-range 80 –cidr-block 0.0.0.0/0 –rule-action allow
# Deny all other inbound and outbound traffic by default
Aws ec2 create-network-acl-entry –network-acl-id acl-12345678 –rule-number 32767 –protocol -1 –egress –cidr-block 0.0.0.0/0 –rule-action deny
Security Group
You can use it at the Instance level to further control inbound band outbound traffic based on the specific rules. You can create separate security groups for the different types of instances and it would allow only required communication between them. It would allow inbound traffic based in the source group to enforce communication only from trusted Instances.
Here is an instance given if it by using AWS CLI:-
# Create a security group for web servers allowing HTTP and SSH traffic
Aws ec2 create-security-group –group-name WebServerSG –description “Security Group for Web Servers”
# Authorize inbound traffic for HTTP (port 80) and SSH (port 22)
Aws ec2 authorize-security-group-ingress –group-id sg-12345678 –protocol tcp –port 80 –cidr 0.0.0.0/0
Aws ec2 authorize-security-group-ingress –group-id sg-12345678 –protocol tcp –port 22 –cidr 10.0.1.0/24
# Create a security group for database servers allowing MySQL traffic
Aws ec2 create-security-group –group-name DBServerSG –description “Security Group for Database Servers”
# Authorize inbound traffic for MySQL (port 3306) from WebServerSG
Aws ec2 authorize-security-group-ingress –group-id sg-87654321 –protocol tcp –port 3306 –source-group sg-12345678