2.3.1.4. Network Security Design (Security Groups, Network ACLs, Network Firewall, WAF, Shield)
š” First Principle: A multi-layered, defense-in-depth approach to network security, applied at the instance, subnet, and edge, is essential for protecting resources from unauthorized network access and malicious attacks.
Scenario: You are designing a new multi-tier web application. The web servers will be publicly accessible, but the application servers and database servers must be strictly protected from direct internet access. You need to implement layered security to protect against common web exploits and network-level attacks.
Robust network security is paramount in cloud environments. AWS provides a suite of services for layered defense.
- "Security Groups (SGs)": Instance-level, "stateful" virtual firewalls.
- Practical Relevance: Control inbound/outbound traffic to individual
"EC2 instances"or"ENIs". Allow rules automatically imply return traffic. Best practice is to use"SGs"as the primary instance firewall.
- Practical Relevance: Control inbound/outbound traffic to individual
- "Network Access Control Lists (Network ACLs / NACLs)": Subnet-level, "stateless" firewalls.
- Practical Relevance: Control traffic to and from one or more subnets. Rules are evaluated in order (lowest number first). Must explicitly allow inbound and outbound return traffic. Useful for broad subnet-level blocking or allowing.
- "AWS Network Firewall": A managed service that makes it easier to deploy network protections for all your
"Amazon VPCs".- Practical Relevance: Provides deep packet inspection, intrusion prevention and detection, web filtering, and granular traffic control at the
"VPC border". Integrates with"AWS Firewall Manager".
- Practical Relevance: Provides deep packet inspection, intrusion prevention and detection, web filtering, and granular traffic control at the
- "AWS WAF (Web Application Firewall)": Protects web applications or APIs from common web exploits and bots.
- Practical Relevance: Filters HTTP/S requests based on rules (e.g.,
"SQL injection","XSS", IP reputation, geo-blocking). Integrates with"CloudFront","ALB","API Gateway".
- Practical Relevance: Filters HTTP/S requests based on rules (e.g.,
- "AWS Shield": Managed Distributed Denial of Service (
"DDoS") protection service.- Practical Relevance: "Shield Standard" (free) provides automatic protection against common network and transport layer DDoS attacks. "Shield Advanced" (paid) provides enhanced protection, cost protection for scaling, and access to the
"DDoS Response Team".
- Practical Relevance: "Shield Standard" (free) provides automatic protection against common network and transport layer DDoS attacks. "Shield Advanced" (paid) provides enhanced protection, cost protection for scaling, and access to the
Visual: Network Security Layers (Defense in Depth)
Loading diagram...
ā ļø Common Pitfall: Relying solely on "Security Groups" for all network security. While "SGs" are the primary instance-level firewall, "Network ACLs" provide a crucial additional layer of defense at the subnet level, useful for blocking known malicious IP addresses before traffic even reaches the instances.
Key Trade-Offs:
- Granularity (
"Security Groups") vs. Broad Control ("Network ACLs"):"Security Groups"provide fine-grained, stateful control for specific instances."Network ACLs"provide broad, stateless allow/deny rules for entire subnets.
Reflection Question: How would you combine "VPC subnets", "Security Groups", "Network ACLs", "AWS WAF", and "AWS Shield" to create a robust, multi-layered network security design for a multi-tier web application, ensuring public access only to web servers while strictly protecting application and database servers from direct internet exposure?