Skip to main content

AWS Security Essentials – Network Segmentation Lab

Hands-On Lab

 

Photo of

Training Architect

Length

01:30:00

Difficulty

Intermediate

Amazon VPC provides features that you can use to increase and monitor the security for your VPC: Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level In this activity, the student will gain experience with using security groups and network access control lists to secure the different layers of a multi-tier application.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Network Segmentation Lab

In this lab, we're using security groups and network access control lists to segment the network so that only necessary traffic is available. Much of the environment has already been pre-provisioned, and containes VPC, SecurityEssentials, with six subnets -- two DMZ subnets, two subnets for the application layer, and two subnets for the database layer. The route tables are also provided, with the DMZ subnets under one public route table and the four other subnets included in a private route table. The DMZ layer layout will contain the bastion host, as well as the application load balancer, while the app layer contains the application servers in an Auto Scaling group; finally, the database layer will contain an RDS database with multiple Availability Zones with read replicas.

Before getting started, make sure you're logged in to the AWS web console and have selected the N. Virginia region (us-east-1).

Configure Security Groups

Navigate to VPC from the services menu and click Security Groups on the left side of the page.

Select Bastion, and click the Inbound Rules tab in the lower panel. Add a new rule with a Type of SSH (22), and set the Source to 0.0.0.0/0. Note that this is not a best practice; normally, we'd get the source from an administrator of an on-premises network to allow traffic only from internal users on that network. Click Save to add the rule.

Next, select ALB (Application Load Balancer) from the list of security groups in the top panel. Click the Inbound Rules tab and add a rule for HTTP (80), then set the Source to 0.0.0.0/0. Since this will be a customer entry point, allowing incoming traffic from all sources is okay (if we didn't, then some customers would not be able to access our application). Add another rule with the Type HTTPS (443) and a Source of 0.0.0.0/0. Click Save.

Select AppServer from the list of security groups and click the Inbound Rules tab. Add a rule for HTTP (80) and click the text box for the source. A contextual menu will appear below. From this menu, which see a list of our security groups; select the ALB group. Add another rule for SSH (22) and set the Source to the Bastion security group (from the contextual menu). Click Save.

Finally, select RDSDB from the list of security groups and click the Inbound Rules tab. Add a rule with the Type MySQL/Aurora (3306), and set the Source to the AppServer group. Click Save.

Configure Network ACLs

Next, we'll set up our Network Access Control Lists (ACLs). Select Network ACLs from the menu on the left side of the screen.

Configure the DMZ ACL

First, select the DMZ ACL from the list in the top panel, and select the Inbound Rules tab in the bottom panel. Add a new rule with a Rule # of 100, a Type of SSH (22), and a Source of 0.0.0.0/0. Again, the would normally come from the administrator of an internal network; we're allowing all traffic sources for the purposes of this lab.

Add another rule with a Rule # of 110, a Type of HTTP (80), and Source of 0.0.0.0/0. Add a third rule with a Rule # of 120, a Type of HTTPS (443), and a Source of 0.0.0.0/0.

Now, add a fourth rule with a Rule # of 130 and a Type of Custom TCP Rule. Enter a Port Range of 1024-65535 and a Source of 0.0.0.0/0. This last rule allows traffic on "ephemeral" ports, which covers return traffic from servers on different operating systems.

Add a final rule with a number of 140. Select a Type of ALL Traffic, and enter a Source of 0.0.0.0/0. Change the final "Allow/Deny" setting to DENY. This denies any inbound traffic that wasn't allowed by any of the first four rules. Click Save.

Next, select the Outbound Rules tab. We'll add the same rules as we used for inbound but with a destination rather than a source:

  • Rule #: 100; Type: SSH (22); Destination: 0.0.0.0/0
  • Rule #: 110; Type: HTTP (80); Destination: 0.0.0.0/0
  • Rule #: 120; Type: HTTPS (443); Destination: 0.0.0.0/0
  • Rule #: 130; Type: Custom TCP Rule; Port Range: 1024-65535; Destination: 0.0.0.0/0
  • Rule #: 140; Type: ALL Traffic; Destination: 0.0.0.0/0; Allow/Deny: DENY

Remember that ACL rules are "stateless," meaning that both inbound and outbound rules must be set for our system to function as intended. Click Save to apply these rules.

Finally, select the Subnet Associations tab, click Edit, and select the DMZ subnets. Their names should be DMZ1public and DMZ2public. Click Save.

In the top panel, which lists our access control lists, we should now see that two subnets are now associated with the DMZ ACL.

Configure the AppLayer ACL

Select the AppLayer ACL from the list in the top panel, then select the Inbound Rules tab in the bottom panel.

Add a rule with a number of 100, a Type of HTTP (80), and a Source of 0.0.0.0/0. This rule will allow traffic from the load balancer, whose IP address (source) will likely change.

Add another rule with a number of 110, a Type of Custom TCP Rule, a Port Range of 1024-65535, and a Source of 0.0.0.0/0.

Add a final rule with a number of 120, a Type of ALL Traffic, and a Source of 0.0.0.0/0. Change the "Allow/Deny" setting to DENY for this last rule so that traffic not allowed by the previous two rules will be rejected.

Next, we'll select the Outbound Rules tab and add the same rules as we used for inbound traffic:

  • Rule #: 100; Type: HTTP (80); Destination: 0.0.0.0/0
  • Rule #: 110; Type: Custom TCP Rule; Port Range: 1024-65535 Destination: 0.0.0.0/0
  • Rule #: 120; Type: ALL Traffic; Destination: 0.0.0.0/0; Allow/Deny: DENY

Finally, select the Subnet Associations tab, click Edit and select the AppLayer subnets. Their names should be AppLayer1 and AppLayer2. Click Save.

In the top panel, which lists our access control lists, we should now see that two subnets are now associated with the AppLayer ACL.

Configure the DBLayer ACL

Select the DBLayer ACL from the list in the top panel, then select the Inbound Rules tab in the bottom panel.

Add a rule with a Rule #of 100, a Type of MySQL/Aurora (3306), and a Source of 0.0.0.0/0. This rule will allow database traffic from the application layer. Note that it's okay to accept traffic from all sources here because we already configured the security group to accept traffic from instances in the AppServer group.

Add another rule with a number of 110, a Type of Custom TCP Rule, a Port Range of 1024-65535, and a Source of 0.0.0.0/0.

Add a final rule with a number of 120, a Type of ALL Traffic, and a Source of 0.0.0.0/0. Change the "Allow/Deny" setting to DENY for this last rule so that traffic not allowed by the previous two rules will be rejected.

Next, we'll select the Outbound Rules tab and add the same rules as we used for inbound traffic:

  • Rule #: 100; Type: MySQL/Aurora (3306)); Destination: 0.0.0.0/0
  • Rule #: 110; Type: Custom TCP Rule; Port Range: 1024-65535 Destination: 0.0.0.0/0
  • Rule #: 120; Type: ALL Traffic; Destination: 0.0.0.0/0; Allow/Deny: DENY

Finally, select the Subnet Associations tab, click Edit and select the DBLayer subnets. Their names should be DBLayer1 and DBLayer2. Click Save.

In the top panel, which lists our access control lists, we should now see that two subnets are now associated with the DBLayer ACL.

Review

In this lab, we learned how to segment a network into layers and apply the proper security controls for each one.

Remember: Using a combination of the right Security Groups and Network Access Control Lists can be a powerful tool in securing your architecture.

Congratulations, you've completed the network segmentation lab! You can now mark this lab as complete and continue on with the rest of the course.