Amazon Vpc User Guide
is the full guide to understand the vcp environment

Scenarios for Amazon VPC

it is important understand the different type of vpc configuration

Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access


The instances in the VPN-only subnet can't reach the Internet directly; any Internet-bound traffic must first traverse the virtual private gateway to your network, where the traffic is then subject to your firewall and corporate security policies.

Recommended Security Groups

Your VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group.

For this scenario, we recommend that you create the following security groups instead of modifying the default security group:

WebServerSG—For the web servers in the public subnet

DBServerSG—For the database servers in the VPN-only subnet

Your VPC and Subnets

host networks using CIDR blocks and , for this reason YOU CAN'T use those networks for your purpose

Subnets in Your VPC

AWS reserves both the first four IP addresses and the last IP address in each subnet CIDR block. They're not available for you to use.

By design, each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC. You can change the association, and you can change the contents of the main route table

Security in Your VPC

Security Groups

  • Security groups—Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
  • Network access control lists (ACLs)—Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level

Amazon security groups and network ACLs don't filter traffic to or from link-local addresses ( or AWS reserved addresses (the first four IP addresses and the last one in each subnet). These addresses support the services: Domain Name Services (DNS), Dynamic Host Configuration Protocol (DHCP), Amazon EC2 instance metadata, Key Management Server (KMS—license management for Windows instances), and routing in the subnet. You can implement additional firewall solutions in your instances to block network communication with link-local addresses.

Comparison of Security Groups and Network ACLs

good table of compression here


Security Groups for Your VPC

  • You can specify allow rules, but not deny rules.
  • You can specify separate rules for inbound and outbound traffic. (in ec2 only inbound)
  • By default, no inbound traffic is allowed until you add inbound rules to the security group.
  • By default, all outbound traffic is allowed until you add outbound rules to the group (and then, you specify the outbound traffic that's allowed).
  • Responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa (security groups are therefore stateful).
  • Instances associated with a security group can't talk to each other unless you add rules allowing it (exception: the default security group has these rules by default).
  • After you launch an instance, you can change which security groups the instance is associated with.

Security Group Rules

Some systems for setting up firewalls let you filter on source ports. Security groups let you filter only on destination ports.

There are some important difference from ec2-classic security gruop and ec2-vpc security gruop. They are summarize in a table

Network ACLs

Network ACL Basics
  • A network ACL is a numbered list of rules that we evaluate in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL. The highest number that you can use for a rule is 32766. We suggest that you start by creating rules with rule numbers that are multiples of 100, so that you can insert new rules where you need to later on.
  • A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
  • Your VPC automatically comes with a modifiable default network ACL; by default, it allows all inbound and outbound traffic.
  • You can create custom network ACLs; each custom network ACL starts out closed (permits no traffic) until you add a rule.
  • Each subnet must be associated with a network ACL; if you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
  • Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
Network ACL Rules
  • When you add or remove rules from a network ACL, the changes are automatically applied to the subnets it's associated with.
  • Rule number. Rules are evaluated starting with the lowest numbered rule.
  • Protocol. You can specify any protocol that has a standard protocol number. For more information, see Protocol Numbers. If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes.
  • Inbound rules only, The source of the traffic (CIDR range) and the destination (listening) port or port range.
  • Outbound rules only, The destination for the traffic (CIDR range) and the destination port or port range.
Default Network ACL
Rule #    Source IP    Protocol    Port    Allow/Deny
100 All All ALLOW

Rule #    Dest IP    Protocol    Port    Allow/Deny
100 all all ALLOW
* all all DENY

Each network ACL includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other rules, it's denied

Ephemeral Ports

In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you need to open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Make sure to place the DENY rules earlier in the table than the rule that opens the wide range of ephemeral ports.

Working with Network ACLs

Adding and Deleting Rules

When you add or delete a rule from an ACL, any subnets associated with the ACL are subject to the change. You don't have to terminate and relaunch the instances in the subnet; the changes take effect after a short period.

You can't modify rules; you can only add and delete rules. If you need to change the order of a rule in the ACL, you must add a new rule with the new rule number, and then delete the original rule.

Associating a Subnet with a Network ACL

To apply the rules of a network ACL to a particular subnet, you must associate the subnet with the network ACL. You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL. Any subnet not associated with a particular ACL is associated with the default network ACL by default.

Recommended Network ACL Rules for Your VPC

Salvo diversa indicazione, il contenuto di questa pagina è sotto licenza Creative Commons Attribution-ShareAlike 3.0 License