Teacher: Hi everyone and welcome back.

Now in today's video we'll be discussing about

one of the important security functionality

that AWS provides,

which is the network access control lists.

So at a high level overview our network ACL

is basically an optional layer of security for your VPC

that acts as a firewall for controlling the traffic

in and out of one or more subnets.

Now when we discuss about firewall,

we know the basics of security group

and how security group works.

So how we add IP addresses in the security group rules

that needs to be allowed in the overall connection

to the EC2 instance.

So when we discuss about firewalls in AWS

specifically at a network clear point of view,

there are two types of firewalls that are available.

First one is the security group and second one

is the network ACL

Now the primary difference between both of them

is that the security group works at a EC2 instance level.

So whenever you create a security group,

you associate that security group with EC2 instance.

So this is one type.

Second type is a network ACL.

Now network ACL does not directly get associated

with the EC2 instance

but you can associate it at a subnet level.

For example
if you have a VPC which has multiple public private subnets

then you associate the network ACL

at the entire subnet level.

Now again, let's go ahead and understand this,

in a much more better way with a simple use case.

So we have a use case where a company XYZ

is getting a lot of attacks from a specific IP.

So this is one of the IP addresses

from which huge amount of attacks are coming.

Now company has more than 500 servers

and the security team has decided

to block this specific IP address in the firewall,

for all of the servers.

Now the question is how can we go ahead

and achieve the goal?

Now when we discuss about security group

do note, that in security group,

we only specify what are the IP addresses

that are allowed to the EC2 instance.

We cannot really specify what are the IP addresses

that are blocked.

For example, let's say that you have

one of the EC2 instance that is hosting a website.

Now for website hosting, you need to allow port 80

or port 443 for the entire world.

If you do not allow that port for the entire world,

then people will not be able to visit the website.

So considering that a port 80

is allowed for the entire world

and there is one attacker who is taking big advantage

of attacking your server,

you have to allow entire world

but you have to block this specific IP.

So in order to achieve this use case network,

ACL is one of the great solutions.

So as we are discussing network ACL

when you create, you can associate it at a subnet level.

So let's say you have a public subnet and a private subnet,

each subnet has a 250 set of EC2 instances.

So 215 public, 250 in private.

So now what you can do in order to achieve this goal

in the network ACL, you can specify

or deny rule with the IP addresses of the attacker.

So you have deny followed by the IP address.

And since this network ACL, is connected to both the public

and private EC2, the traffic that comes to any

of these EC2 instances that are part of these subnets,

these traffic will be allowed

or denied based on network ACL as well.

So since network ACL is denied,

any traffic coming to any EC2 or any resources

in these subnets will be blocked considering

that it is the IP addresses in the deny condition.

So this is the basic of what network ACL is.

And let's quickly have a quick demo.

All right, so currently for today's demo,

I have a EC2 instance that is running in one of the regions.

Now if you look into this EC2 instance

in this security, let's go a bit down.

So there is a security group over here

and in the inbound rules it is basically

allowing all the traffic to connect to the instance.

So this is perfectly fine.

So let's do one thing.

Let's go ahead and verify

if we are able to ping this specific EC2 instance.

So let's do a ping and I'll specify the IP address.

And as expected, the ping is working perfectly well.

So let's take a simple use case where what we want is,

we want everyone to connect to this EC2 instance except

one specific IP address.

So as we are discussing except one specific IP address,

everyone should be able to connect to the EC2 instance.

Now, in order to achieve that,

you cannot directly make use of a security group rule.

So what we'll be doing will be making use of a network ACL.

Now if you'll quickly go to the VPC service,

let's quickly open this up.

Now in the VPC currently if you look into the VPC

that is available, so only a default VPCs available.

And if you look into these subnets

there are multiple subnets that are available.

Each one is associated with a specific availability zone.

So if we go a bit on the right hand side

you see each subnet is associated

with a specific availability zone.

Anyways, this is not the thing that we are looking for.

So if you go bit down under security

there is a option of network ACLs.

Let's quickly open this up.

Now you'll see that there is one network ACL that is created

and it states associated with four subnets.

Now as we were discussing

a network ACL can be associated at a subnet level.

So this network ACL is associated with four subnets.

And if you look into this VPC

this specific VPC over here, has in total of four subnets.

So you can essentially say

that the network ACL is associated with the entire VPC.

Now if you look into the network SCL, again, similar

to the security group, you have inbound and outbound rules.

If I'll click on inbound rules, here you'll see that

there are two rules that are available.

One is the allow rule and second one is the deny rule.

So let's do one thing.

Let's go ahead and edit the inbound rule over here.

So our point is to go ahead and block a specific IP address.

So if I quickly do a, What's My IP?

This is the IP address that I have.

Let's copy this up.

So let's do one thing.

Let's go ahead and create a new rule within here.

Let's give a rule number of 99 and the source,

let's say the IP address of my current ISP.

And within the type I'll just say all traffic.

And within the allow, deny

say deny and I'll click on save changes.

Great. And so if you look into the inbound rules over here,
you have a new rule over here,

which is the highlighted one, which is a deny rule

and the source IP address is my current IP.

So now what will happen is any time this specific IP address

makes a request to any resources that are part of the VPC,

be it one EC2 instance, be it 2000 EC2 instance,

their traffic will be blocked.

So let's quickly verify.

So if I try and ping again, you see we are not able to

establish the connectivity over here.

I'll do a control C.

And as soon as we remove the rule, let's try it out.

So this rule number 99, let's remove it.

We'll do a save changes and let's try to do a ping again.

You see it is working perfectly well.

Great. So I hope at a high level overview

you understood the basic functionality of network ACL

and in fact this specific use case that we were discussing

this is one of the common use cases that you will see

in organization where there is an IP address

that is continuously brute forcing multiple EC2 instances

and you want to block that IP address,

from your entire VPC so that it does not really reach

any of the EC2 instances.

So in order to quickly do that,

network ACL is a great way to achieve that.

So before we compute, let's look into

some of the important pointers.

First one is that each subnet in your VPC

must be associated with a network ACL.

Now, if you do not explicitly associate a subnet

with a network ACL, the subnet is automatically associated

with a default network ACL.

So generally there is a default network ACL

that gets created automatically.

So this default network ACL will be associated with all

of the subnets by default.

All right, so this is the default network ACL

that allows all inbound and outbound IPV default traffic

and if applicable, IPV six traffic as well.

And the last important pointer is you can

associate a network ACL with multiple subnets.

However, a subnet can be associated

with only one network ACL at a time.

Now one thing I wanted to make it clear is

that this network ACL that you see,

in fact this whole region, this is the region that I'm using

for the first time for this specific account.

So this is basically a default VPC

that was already created within the region.

So this default VPC also comes

up with third default network ACL.

So this is the default network ACL

that we were discussing about.

And this is what it basically means,

that if you do not explicitly associate a subnet

with a network ACL, the subnet is automatically associated

with a default network ACL.

However, in case if you want to create a custom network ACL

this is also something that you can easily do.

So from here you can create a custom network ACL

and you can associate the custom network ACL

with a specific subnet within the VPC.

So this is the high level overview about the network ACL

and with this will conclude today's video.