Skip to main content

Configuring Layered Security in an AWS VPC

Hands-On Lab

 

Photo of Mark Richman

Mark Richman

AWS Training Architect II in Content

Length

00:30:00

Difficulty

Intermediate

Amazon VPC provides features you can use to increase and monitor the security for your VPC, including route tables, security groups, and network access control lists (NACLs). When you launch an instance in a VPC, you can associate one or more security groups that you've created. Each instance in your VPC could belong to a different set of security groups. You can secure your VPC instances using only security groups; however, you can add network ACLs as an additional layer of defense. In this hands-on lab, you will configure multiple layers of security in a VPC.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Configuring Layered Security in an AWS VPC

Introduction

Amazon VPC provides features you can use to increase and monitor the security for your VPC, including route tables, security groups, and network access control lists (NACLs). When you launch an instance in a VPC, you can associate one or more security groups that you've created. Each instance in your VPC could belong to a different set of security groups. You can secure your VPC instances using only security groups; however, you can add network ACLs as an additional layer of defense. In this hands-on lab, you will configure multiple layers of security in a VPC.

Solution

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

Configure Route Tables

  1. Navigate to VPC.
  2. Click Route Tables in the left-hand menu.

PublicRT

  1. Select PublicRT.
  2. Click the Routes tab.
  3. Click Edit routes, and set the following values:
    • Destination: 0.0.0.0/0
    • Target: Internet gateway, and select the listed igw-
  4. Click Save routes.
  5. Click the Subnet Associations tab.
  6. Click Edit subnet associations.
  7. Select the following subnets:
    • DMZ1public
    • DMZ2public
  8. Click Save.

PrivateRT

  1. Select PrivateRT.
  2. Click the Routes tab, and click Edit routes.
  3. Set the following values:
    • Destination: 0.0.0.0/0
    • Target: NAT gateway, and select the listed nat-
  4. Click Save routes.
  5. Click the Subnet Associations tab.
  6. Click Edit subnet associations.
  7. Select the following subnets:
    • AppLayer1private
    • AppLayer2private
    • DBLayer1private
    • DBLayer2private
  8. Click Save.

Configure Security Groups

  1. Click Security Groups in the left-hand menu.

LoadBalancerSG

  1. Select LoadBalancerSG.
  2. Click the Inbound Rules tab, and click Edit rules.
  3. Click Add Rule, and set the following values:
    • Type: HTTP
    • Source: 0.0.0.0/0
  4. Click Add Rule, and set the following values:
    • Type: HTTPS
    • Source: 0.0.0.0/0
  5. Click Save rules.

WebServerSG

  1. Select WebServerSG.
  2. Click the Inbound Rules tab, and click Edit rules.
  3. Click Add Rule, and set the following values:
    • Type: HTTP
    • Source: Type sg and select the listed LoadBalancerSecurityGroup
  4. Click Add Rule, and set the following values:
    • Type: SSH
    • Source: Type sg and select the listed BastionSecurityGroup
  5. Click Save rules.

BastionSG

  1. Select BastionSG.
  2. Click the Inbound Rules tab, and click Edit rules.
  3. Click Add Rule, and set the following values:
    • Type: SSH
    • Source: 0.0.0.0/0
  4. Click Save rules.

DatabaseSG

  1. Select DatabaseSG.
  2. Click the Inbound Rules tab, and click Edit rules.
  3. Click Add Rule, and set the following values:
    • Type: MYSQL/Aurora
    • Source: Type sg and select the listed WebServerSecurityGroup
  4. Click Save rules.

Configure NACLs

  1. Click Network ACLs in the left-hand menu.

AppNACL

Inbound Rules

  1. Select AppNACL.
  2. Click the Inbound Rules tab, and click Edit inbound rules.
  3. Click Add Rule, and set the following values:
    • Rule #: 100
    • Type: SSH
    • Port Range: 22
    • Source: 10.99.0.0/16
    • Allow / Deny: ALLOW
  4. Click Add Rule, and set the following values:
    • Rule #: 110
    • Type: HTTP
    • Port Range: 8080
    • Source: 10.99.0.0/16
    • Allow / Deny: ALLOW
  5. Click Add Rule, and set the following values:
    • Rule #: 120
    • Type: HTTPS
    • Port Range: 8443
    • Source: 10.99.0.0/16
    • Allow / Deny: ALLOW
  6. Click Add Rule, and set the following values:
    • Rule #: 130
    • Type: Custom TCP Rule
    • Port Range: 1024-65535
    • Source: 0.0.0.0/0
    • Allow / Deny: ALLOW
  7. Click Save.

Outbound Rules

  1. Click the Outbound Rules tab, and click Edit outbound rules.
  2. Click Add Rule, and set the following values:
    • Rule #: 100
    • Type: SSH
    • Port Range: 22
    • Destination: 0.0.0.0/0
    • Allow / Deny: ALLOW
  3. Click Add Rule, and set the following values:
    • Rule #: 110
    • Type: HTTP
    • Port Range: 8080
    • Destination: 0.0.0.0/0
    • Allow / Deny: ALLOW
  4. Click Add Rule, and set the following values:
    • Rule #: 120
    • Type: HTTPS
    • Port Range: 8443
    • Destination: 0.0.0.0/0
    • Allow / Deny: ALLOW
  5. Click Add Rule, and set the following values:
    • Rule #: 130
    • Type: Custom TCP Rule
    • Port Range: 1024-65535
    • Destination: 0.0.0.0/0
    • Allow / Deny: ALLOW
  6. Click Save.

Subnet Associations

  1. Click the Subnet associations tab.
  2. Click Edit subnet associations.
  3. Select the following subnets:
    • AppLayer1private
    • AppLayer2private
  4. Click Edit.

DMZNACL

Inbound Rules

  1. Select DMZNACL.
  2. Click the Inbound Rules tab, and click Edit inbound rules.
  3. Click Add Rule, and set the following values:
    • Rule #: 100
    • Type: SSH
    • Port Range: 22
    • Source: 0.0.0.0/0
    • Allow / Deny: ALLOW
  4. Click Add Rule, and set the following values:
    • Rule #: 110
    • Type: HTTP
    • Port Range: 8080
    • Source: 0.0.0.0/0
    • Allow / Deny: ALLOW
  5. Click Add Rule, and set the following values:
    • Rule #: 120
    • Type: HTTPS
    • Port Range: 8443
    • Source: 0.0.0.0/0
    • Allow / Deny: ALLOW
  6. Click Add Rule, and set the following values:
    • Rule #: 130
    • Type: Custom TCP Rule
    • Port Range: 1024-65535
    • Source: 0.0.0.0/0
    • Allow / Deny: ALLOW
  7. Click Save.

Outbound Rules

  1. Click the Outbound Rules tab, and click Edit outbound rules.
  2. Click Add Rule, and set the following values:
    • Rule #: 100
    • Type: SSH
    • Port Range: 22
    • Destination: 0.0.0.0/0
    • Allow / Deny: ALLOW
  3. Click Add Rule, and set the following values:
    • Rule #: 110
    • Type: HTTP
    • Port Range: 8080
    • Destination: 0.0.0.0/0
    • Allow / Deny: ALLOW
  4. Click Add Rule, and set the following values:
    • Rule #: 120
    • Type: HTTPS
    • Port Range: 8443
    • Destination: 0.0.0.0/0
    • Allow / Deny: ALLOW
  5. Click Add Rule, and set the following values:
    • Rule #: 130
    • Type: Custom TCP Rule
    • Port Range: 1024-65535
    • Destination: 0.0.0.0/0
    • Allow / Deny: ALLOW
  6. Click Save.

Subnet Associations

  1. Click the Subnet associations tab.
  2. Click Edit subnet associations.
  3. Select the following subnets:
    • DMZ1public
    • DMZ2public
  4. Click Edit.

DBNACL

Inbound Rules

  1. Select DBNACL.
  2. Click the Inbound Rules tab, and click Edit inbound rules.
  3. Click Add Rule, and set the following values:
    • Rule #: 100
    • Type: MySQL/Aurora
    • Port Range: 3306
    • Source: 10.99.0.0/16
    • Allow / Deny: ALLOW
  4. Click Add Rule, and set the following values:
    • Rule #: 110
    • Type: Custom TCP Rule
    • Port Range: 1024-65535
    • Source: 0.0.0.0/0
    • Allow / Deny: ALLOW
  5. Click Save.

Outbound Rules

  1. Click the Outbound Rules tab, and click Edit outbound rules.
  2. Click Add Rule, and set the following values:
    • Rule #: 100
    • Type: MySQL/Aurora
    • Port Range: 3306
    • Destination: 10.99.0.0/16
    • Allow / Deny: ALLOW
  3. Click Add Rule, and set the following values:
    • Rule #: 110
    • Type: Custom TCP Rule
    • Port Range: 1024-65535
    • Destination: 10.99.0.0/16
    • Allow / Deny: ALLOW
  4. Click Save.

Subnet Associations

  1. Click the Subnet associations tab.
  2. Click Edit subnet associations.
  3. Select the following subnets:
    • DBLayer1private
    • DBLayer2private
  4. Click Edit.

Test Configurations

  1. Navigate to EC2 > Instances.

  2. Select the bastion-host instance.

  3. Copy its public IP.

  4. Open a terminal session, and log in to the instance via SSH:

    ssh cloud_user@<PUBLIC IP>
  5. Once you're logged in, head back to the AWS console.

  6. Select one of the Wordpress instances, and copy its private IP.

  7. Back in the terminal, log in to it via SSH:

    ssh <PRIVATE IP>

    We should be able to connect.

  8. Back in the AWS console, navigate to EC2 > Load Balancers.

  9. Copy the listed load balancer's DNS name, and paste it into a new browser tab. Our Wordpress instance should properly load.

Conclusion

Congratulations on successfully completing this hands-on lab!