1
00:00:00,750 --> 00:00:02,850
‫So now that we've seen all the aspect

2
00:00:02,850 --> 00:00:05,670
‫about defining the network in our VPC

3
00:00:05,670 --> 00:00:08,460
‫let's talk about this network security.

4
00:00:08,460 --> 00:00:09,720
‫So let's talk about the concept

5
00:00:09,720 --> 00:00:12,510
‫of network ACL and security groups.

6
00:00:12,510 --> 00:00:14,163
‫So we're back in our VPC.

7
00:00:15,091 --> 00:00:18,630
‫It has 1 public subnet and 1 EC2 instance in it.

8
00:00:18,630 --> 00:00:21,450
‫We can create a NACL or network ACL.

9
00:00:21,450 --> 00:00:24,240
‫Which is a firewall that controls traffic

10
00:00:24,240 --> 00:00:26,430
‫from and to the subnets.

11
00:00:26,430 --> 00:00:29,220
‫And this can have allow and deny rules.

12
00:00:29,220 --> 00:00:31,350
‫So we can allow traffic or deny traffic.

13
00:00:31,350 --> 00:00:32,790
‫And that's explicit.

14
00:00:32,790 --> 00:00:36,504
‫You attach these NACL's at the subnet level

15
00:00:36,504 --> 00:00:39,900
‫and the rules only include IP addresses.

16
00:00:39,900 --> 00:00:42,006
‫So you're saying, Hey all the traffic coming

17
00:00:42,006 --> 00:00:46,980
‫from this IP address is allowed, or all the traffic coming

18
00:00:46,980 --> 00:00:50,730
‫from these IP addresses are denied, and so on.

19
00:00:50,730 --> 00:00:55,730
‫So the NACL is here and it is the first mechanism of defense

20
00:00:55,890 --> 00:00:58,680
‫of our public subnets, and it's at the subnet level.

21
00:00:58,680 --> 00:01:00,990
‫So as we can see the traffic coming

22
00:01:00,990 --> 00:01:03,840
‫to and from the internet is going to go first

23
00:01:03,840 --> 00:01:06,240
‫through the network ACL.

24
00:01:06,240 --> 00:01:09,870
‫But it hasn't reached our EC2 instance just yet.

25
00:01:09,870 --> 00:01:12,183
‫Next we have security groups and we've seen them

26
00:01:12,183 --> 00:01:14,040
‫already in this course.

27
00:01:14,040 --> 00:01:17,271
‫So security groups is a firewall that controls traffic

28
00:01:17,271 --> 00:01:21,870
‫to and from an ENI so elastic network interface or

29
00:01:21,870 --> 00:01:23,490
‫an EC2 instance.

30
00:01:23,490 --> 00:01:26,310
‫In this security groups as we've seen can only have

31
00:01:26,310 --> 00:01:29,187
‫the allow rules and they can reference

32
00:01:29,187 --> 00:01:33,060
‫either IP addresses or other security groups.

33
00:01:33,060 --> 00:01:36,390
‫And this is something we have seen already in this course.

34
00:01:36,390 --> 00:01:40,050
‫So we attach a security group to our EC2 instance

35
00:01:40,050 --> 00:01:42,660
‫and now the traffic can flow all the way

36
00:01:42,660 --> 00:01:44,970
‫through to our EC2 instance.

37
00:01:44,970 --> 00:01:48,960
‫And we have the second mechanism of defense.

38
00:01:48,960 --> 00:01:53,100
‫So we've seen security groups at depth in this course

39
00:01:53,100 --> 00:01:54,570
‫but we haven't really touched NACL's.

40
00:01:54,570 --> 00:01:57,600
‫Why? Because when you have a default VPC

41
00:01:57,600 --> 00:02:00,075
‫the default NACL allows everything in and

42
00:02:00,075 --> 00:02:02,130
‫allows everything out.

43
00:02:02,130 --> 00:02:05,430
‫And this is why we haven't had to change the network ACL

44
00:02:05,430 --> 00:02:08,790
‫in this course and we will not do any hands-on on it either.

45
00:02:08,790 --> 00:02:11,610
‫But just know that before the internet traffic

46
00:02:11,610 --> 00:02:13,840
‫reaches your EC2 instance it has to go

47
00:02:13,840 --> 00:02:16,380
‫through this network ACL

48
00:02:16,380 --> 00:02:18,480
‫which acts as a firewall.

49
00:02:18,480 --> 00:02:20,040
‫So they're very different

50
00:02:20,040 --> 00:02:21,360
‫than network SCL and the security Group.

51
00:02:21,360 --> 00:02:24,120
‫And there is a table that summarizes it.

52
00:02:24,120 --> 00:02:25,050
‫You don't need to remember it.

53
00:02:25,050 --> 00:02:26,442
‫This is more something for

54
00:02:26,442 --> 00:02:28,680
‫the Solutions Architect Associate

55
00:02:28,680 --> 00:02:31,680
‫or the certified Sysap's Associate.

56
00:02:31,680 --> 00:02:34,260
‫But the idea is that the security group is attached

57
00:02:34,260 --> 00:02:35,400
‫to an instance or an ENI

58
00:02:35,400 --> 00:02:38,040
‫whereas the network ACL is at the subnet level.

59
00:02:38,040 --> 00:02:40,080
‫The Security Group is only allow rules whereas

60
00:02:40,080 --> 00:02:42,810
‫for network ACL it's allow and deny rules.

61
00:02:42,810 --> 00:02:45,540
‫Is stateful, so that means any traffic that comes

62
00:02:45,540 --> 00:02:48,330
‫that return traffic is automatically allowed regardless

63
00:02:48,330 --> 00:02:49,163
‫of any roles.

64
00:02:49,163 --> 00:02:50,610
‫Whereas here for the network ACL

65
00:02:50,610 --> 00:02:53,820
‫you need to allow the traffic in and out.

66
00:02:53,820 --> 00:02:55,920
‫And here you can look at the rest

67
00:02:55,920 --> 00:02:58,320
‫but this is pretty irrelevant for the certification.

68
00:02:58,320 --> 00:03:00,720
‫Okay, so this is just if you're curious.

69
00:03:00,720 --> 00:03:02,880
‫So now that we have all this traffic flowing

70
00:03:02,880 --> 00:03:05,910
‫through our VPC, through the network ACL

71
00:03:05,910 --> 00:03:08,820
‫and the security groups, we're curious about

72
00:03:08,820 --> 00:03:10,800
‫can we get a information

73
00:03:10,800 --> 00:03:12,510
‫about all this traffic flowing through?

74
00:03:12,510 --> 00:03:13,740
‫Can we get a log from it?

75
00:03:13,740 --> 00:03:16,110
‫And this is called a VPC flow log.

76
00:03:16,110 --> 00:03:18,116
‫So this is going to capture information

77
00:03:18,116 --> 00:03:22,650
‫about all the IP traffic going into your interfaces.

78
00:03:22,650 --> 00:03:26,190
‫That includes the VPC flow logs, the Subnet flow logs

79
00:03:26,190 --> 00:03:27,570
‫and the ENI flow logs

80
00:03:27,570 --> 00:03:30,120
‫or Elastic Network Interface flow logs.

81
00:03:30,120 --> 00:03:33,750
‫So anytime you have network going through your VPC

82
00:03:33,750 --> 00:03:35,938
‫it will be logged in a flow log.

83
00:03:35,938 --> 00:03:38,130
‫And so this is to help you monitor

84
00:03:38,130 --> 00:03:40,050
‫and troubleshoot connectivity issues.

85
00:03:40,050 --> 00:03:43,170
‫For example, if you want to know why your subnet cannot

86
00:03:43,170 --> 00:03:46,680
‫access the internet or why a subnet can talk or

87
00:03:46,680 --> 00:03:50,010
‫cannot talk to another subnets or internet to subnet

88
00:03:50,010 --> 00:03:51,330
‫et cetera, et cetera.

89
00:03:51,330 --> 00:03:55,380
‫So anytime you have a network issue and you need

90
00:03:55,380 --> 00:03:57,780
‫to be able to troubleshoot it, you need to look

91
00:03:57,780 --> 00:04:00,385
‫at the VPC flow logs because they will give you everything.

92
00:04:00,385 --> 00:04:02,190
‫All the information around

93
00:04:02,190 --> 00:04:03,876
‫the allowed and the denied traffic.

94
00:04:03,876 --> 00:04:07,320
‫It will capture network information as well from

95
00:04:07,320 --> 00:04:09,990
‫anything that is managed by AWS.

96
00:04:09,990 --> 00:04:14,130
‫So the Elastic Load Balancers, your ElastiCache, RDS, Aurora

97
00:04:14,130 --> 00:04:16,080
‫all this will appear in your VPC flow logs.

98
00:04:16,080 --> 00:04:18,360
‫So in case of connectivity issues

99
00:04:18,360 --> 00:04:20,520
‫you can look there right away

100
00:04:20,520 --> 00:04:24,000
‫And the VPC flow logs data can be sent to Amazon S3

101
00:04:24,000 --> 00:04:27,720
‫it can be sent to CloudWatch Logs and Kinesis Data Firehose

102
00:04:27,720 --> 00:04:31,170
‫so you can send it to many places in AWS.

103
00:04:31,170 --> 00:04:32,430
‫So that's it for this lecture.

104
00:04:32,430 --> 00:04:33,570
‫I hope you liked it.

105
00:04:33,570 --> 00:04:35,760
‫We've seen NACL's, security groups

106
00:04:35,760 --> 00:04:39,453
‫and VPC flow logs and I will see you and the next lecture.