What is the difference between network ACL vs security group?

284    Asked by CarolineBrown in AWS , Asked on Mar 26, 2024

 I am currently engaged in a particular task which is related to designing the security Architecture for a particular cloud-based application. This application consists of multiple microservices deployed on AWS EC2 instances. Every microservices communicates with others within the application and with external services. How can I use the network ACLs and security Group to ensure secure communications within the application and with the service? 

Answered by debbie Jha

 In the context of AWS, you can ensure secure communications within the application and with External services in a particular AWS environment by using the network ACLs and security groups by using these approaches:-

Network ACLs

You can use it at the subnet level to control inbound and outbound traffic. It would allow you specific ports for communication within the subnet. For External communication, it would allow you specific ports required for the external ports. It would deny all the inbound and outbound traffic by default so that it can enforce a least privilege principle.

Here is an example of it by using the AWS CLI:-

# Allow inbound traffic within the subnet for microservices communication

  Aws ec2 create-network-acl-entry –network-acl-id acl-12345678 –rule-number 100 –protocol tcp –port-range From=3000,To=4000 –cidr-block 10.0.1.0/24 –rule-action allow

# Allow outbound traffic for HTTP communication

  Aws ec2 create-network-acl-entry –network-acl-id acl-12345678 –rule-number 200 –protocol tcp –port-range 80 –cidr-block 0.0.0.0/0 –rule-action allow

# Deny all other inbound and outbound traffic by default

  Aws ec2 create-network-acl-entry –network-acl-id acl-12345678 –rule-number 32767 –protocol -1 –egress –cidr-block 0.0.0.0/0 –rule-action deny

Security Group

You can use it at the Instance level to further control inbound band outbound traffic based on the specific rules. You can create separate security groups for the different types of instances and it would allow only required communication between them. It would allow inbound traffic based in the source group to enforce communication only from trusted Instances.

Here is an instance given if it by using AWS CLI:-

# Create a security group for web servers allowing HTTP and SSH traffic

  Aws ec2 create-security-group –group-name WebServerSG –description “Security Group for Web Servers”

# Authorize inbound traffic for HTTP (port 80) and SSH (port 22)

  Aws ec2 authorize-security-group-ingress –group-id sg-12345678 –protocol tcp –port 80 –cidr 0.0.0.0/0
  Aws ec2 authorize-security-group-ingress –group-id sg-12345678 –protocol tcp –port 22 –cidr 10.0.1.0/24

# Create a security group for database servers allowing MySQL traffic

  Aws ec2 create-security-group –group-name DBServerSG –description “Security Group for Database Servers”

# Authorize inbound traffic for MySQL (port 3306) from WebServerSG

  Aws ec2 authorize-security-group-ingress –group-id sg-87654321 –protocol tcp –port 3306 –source-group sg-12345678


Your Answer

Interviews

Parent Categories