AWS: Networking and Security

Umma Gohil

AWS: Networking and Security

☁️ Architecture

Apr 8, 2025

13 min read

Creating an Application Load Balancer (ALB)

Creating the EC2 Instances

Go to EC2, on the left select Network & Security Groups
Click on Security Groups and then Create Security group
Name: <alb-one>
Description: <alb-description-one>
Select pre-existing vpc
Configure inbound rule to allow HTTP traffic from 0.0.0.0/0
Configure another security group
- Name: <alb-sg-server-one>
- Configure inbound rule to allow HTTP traffic from the ALB’s security group

Create Two EC2 Instances

EC2-One

Name: <ec2-one>
Instance type: t2.micro
AMI: Amazon Linux
Key pair: Proceed without key pair
Security group: <one-created-earlier>
User data:

#!/bin/bash
sudo yum update -y
sudo yum install nginx -y
sudo service nginx start
echo '<html><body style="background-color:red;"><h1>EC2 RED server</h1></body></html>' | sudo tee /usr/share/nginx/html/index.html > /dev/null
sudo service nginx reload

EC2-Two

Name: <ec2-two>
Instance type: t2.micro
AMI: Amazon Linux
Key pair: Proceed without key pair
Security group: <one-created-earlier>
User data:

#!/bin/bash
sudo yum update -y
sudo yum install nginx -y
sudo service nginx start
echo '<html><body style="background-color:blue;"><h1>EC2 BLUE server</h1></body></html>' | sudo tee /usr/share/nginx/html/index.html > /dev/null
sudo service nginx reload

Creating the Target Group

On the left of EC2 Management Console, select ** Target Groups** under Load Balancing and click Create target group
Target type: instances
Name: <alb-target-group-name>
Protocol: HTTP on port 80 (make sure IPb4 option is selected under IP address type)
VPC: select default
Protocol version: HTTP1
Health checks: HTTP for protocol, path leave as default /
Click Next
Select both instances as targets and then click Includes as pending below
Click Create target group

Creating the Application Load Balancer

On the left of the EC2 Management Console, under Load Balancing select Load Balancers
Click on Create load balancer (top right)
Select Application Load Balancer
Configuration
- Name: <alb-name>
- Scheme: Internet-facing
- IP address type: IPv4
- Network mapping: select default VPC
- Mappings: select all checkboxes
- Security groups: select previously created security group
- Listeners and routing:
  - Protocol: HTTP
  - Port: 80
  - Click Select a target group and choose target group previously created
  - Click Create load balancer
Enter the ALB DNS name into the browser and when you refresh the page you should be able to switch between a red and blue background

Creating a Network Load Balancer

Creating Two EC2 Instances

Name: <ec2-one>
AMI: Amazon Linux
Instance type: t2.micro
Key pair (create a new one)
- Name: <key-pair-name>
- Type: RSA
- Format: .pem
Network settings (click edit)
- Subnet: choose an existing one
- Auto assign public IP: enable
- Firewall (security groups): tick Create security group
  - Name: <sg-name>
  - Description: <sg-description>
  - Inbound security group rules;
    - Type: SSH
      - Source type: My IP
    - Type: HTTPS
      - Source type: Custom
      - Source: 0.0.0.0/0
    - Type: Custom TCP
      - Port range: 2014-665535
      - Source type: Custom
      - Source: 0.0.0.0/0

Click on Advanced details

Scroll down and paste the following in user data

#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Welcome to the webServer_Alpha</h1>" > /var/www/html/index.html

Click on Launch instance
Name: <ec2-two>
AMI: Amazon Linux
Instance type: t2.micro
Key pair: select the key pair created in the instance above
Network settings (click edit)
- Subnet: choose an existing one
- Auto-assign public IP: select enable
- Firewall (security groups): tick Select existing security group and choose the one previously created
- Click on Advanced details and paste the following in
```
#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Welcome to the webServer_Beta</h1>" > /var/www/html/index.html
```
Ensure the instances are in a running state and all checks have been passed

Setting Up Target Group

In EC2, on the left side under Load Balancing select Target Groups
Configuration
- Target type: Instances
- Target group name: <tg-name>
- Protocol and port: TCP, 80
- VPC: select default
- Health checks protocol: TCP
Click Next
Register targets: select two instances created earlier
Click Include as pending below
Click Create target group

Setting up the Network Load Balancer

On the left of the EC2 Management Console under Load Balancing click Load Balancers
Click Create load balancer (top right)
Select Network Load Balancer and click Create
Configuration
- Load Balancer Name: <nlb-name>
- Scheme: Intern-facing
- IP address type: IPv4
- Network mapping: default vpc
- Select mappings: us-east-1a and use-east-1b (this will be subnets which the NLB will operate)
- Under Security groups, select the security group created previously and unselect the default to delete it from the list
- On Listeners and routing, select the target group previously created (ensure the protocol is TCP and port is set to 80)
- Click Create load balancer
Once active, copy the DNS name of the NLB

Testing the Network Load Balancer

Paste the DNS name into the browser
Add some traffic to one of your instances by connecting to it via SSH
- Go back to instances and select one of the instances and click Connect
- Open the terminal and navigate to where your downloaded the key pair
- Paste the command to connect to the instance: ssh -i <your-key-name.pem> <ec2-url>
- Paste this into the terminal (replace with your own nlb dns): while true; do curl http://<NLB-DNS-NAME>; done

Path-based Routing with ALB

Launching Two EC2 Instances

Name: <ec2-one>
AMI: Ubuntu Server 24.04
Key pair (create a new pair)
- Name: <path-based-routing>
- Type: RSA
- Format: .pem
Network settings
- Allow SSH traffic from My IP
- Allow HTTP traffic from the Internet
Click Create instance
Name: <ec2-two>
AMI: Ubuntu Server 24.04
Key pair (use the one created in ec2-one)
Network settings
- Allow SSH traffic from My IP
- Allow HTTP traffic from the Internet

Installing the NGINX Web Server

Do these steps for both instances
Connect to the server via SSH
Install the NGINX web server
- sudo apt update
- sudo apt install nginx
Once installed, verify it by going to the public IPv4 address of each instance

Creating a Simple UI

Do these steps for both instances
Connect to the instances via SSH
For ec2-one: sudo vi /var/www/html/demo1.html
Copy the following HTML code block:

<!DOCTYPE html>
<html>
<head>
<title>Welcome to App1!</title>
</head>
<body>
<h1>Welcome to App1!</h1>
</body>
</html>

Save the file via :wq!
For ec2-two: sudo vi /var/www/html/demo2.html
Copy the following HTML code block:

<!DOCTYPE html>
<html>
<head>
<title>Welcome to App2!</title>
</head>
<body>
<h1>Welcome to App2!</h1>
</body>
</html>

Save the file via :wq!

Creating Target Groups

Type: Instances
Set up two target groups with protocol HTTP and port 80
Select the existing VPC
Register EC2 instances running on ec2-one with tg1 and set HealthCheckPath as /demo1.html
Register EC2 instances running on ec2-two with tg2 and set the HealthCheck Path as /demo2.html

Creating an Application Load Balancer

Load Balancer Name: <demo>
Scheme: Internet-facing
Load Balancer IP address type: IPv4
Network mapping
- Select the existing VPC
- Mapping: select all AZs
Security groups: select the default one
Listeners and routing
- Protocol: HTTP
- Port: 80
- Forward to tg1
- Click Create Load Balancer
Configure listener and rules
- Go to the Listener details pane
  - Change Routing actions to Return fixed response
  - Click Save Changes
- Define listener rules based on path patterns: click Add rule
- Add condition
  - Rule condition type: path
  - For request to /demo1.html, forward to tg1
  - For request to /demo2.html, forward to tg2
  - Click Next
- Rule priority
  - First rule (tg1): 1
  - Second rule (tg2): 2

Test Path Based Routing

http://your-alb-dns-name/demo1.html
http://your-alb-dns-name/demo2.html

Creating a Custom VPC

VPC (virtual private cloud): the network on aws
Subnet: security measures, connectivity options etc.
Internet Gateway: allow access to the Internet
Route table: guides traffic in and out

Creating a Custom VPC

Go to VPC via the AWS Management Console
Click on Create VPC
Select VPC only
Name tag: <vpc-name>
IPv4 CIDR block: 10.0.0.0/16
Click Create

Setting Up Subnets

Click on Subnets on the left hand side and then Create subnet
VPC ID: select a pre-existing vpc
- Name: <public-subnet-name>
- Availability zone: US East/ us-east-1a
- IPv4 CIDR block: 10.0.1.0/24
- Add another subnet by clicking Add new subnet
  - Name: <public subnet-name-2>
  - Availability zone: US East / us-east-1b
Click Create

Establishing an Internet Gateway

Click on Internet Gateways on the left hand side under VPC
Click on Create Internet Gateway
Add a name for the Gateway and click Create Internet Gateway
Choose Attach to VPC in the action dropdown menu on the right
Attach the Internet Gateway to the VPC and click Attach internet gateway

Configuring Route Tables

Go to Route Tables on the left and click Create route table
Name the route table and associate it with the vpc created earlier
Click Create route table
Click on Edit routes
Click on Add route (bottom left)
- Destination: 0.0.0.0/0
- Target: select Internet Gateway and the name of the Internet Gateway you created previously
- Click Save changes
Associate the route table with both subnets
Click on Edit subnet associations inside the Explicit Subnet Associations
Select both subnets and click on Save associations

Testing Connectivity

Connect and lunch the instances via SSH

Setting Up VPC Peering

Peering enables private network connections between different VPCs to communicate with each other

Prepare the Environment

Navigate to VPC via the AWS Management Console
Create three VPCs
- VPC-One: CIDR block 10.0.0.0/16
- VPC-Two: CIDR block 10.1.0.0/16
- VPC-Three: CIDR block 10.2.0.0./16
In each VPC, create a subnet
- Subnet-One: 10.0.1.0/24
- Subnet-Two: 10.1.1.0/24
- Subnet-Three: 10.2.1.0/24
Create an Internet Gateway for each VPC
- internet-gateway-one
  - remember to attach vpc-one
- internet-gateway-two
  - remember to attach vpc-two
- internet-gateway-three
  - remember to attach vpc-three
Modify route tables
- Click Edit routes
  - Destination: 0.0.0.0/0
  - Target: Internet Gateway (choose the Internet gateway corresponding to the route table)
  - Click Save changes and repeat the process for all vpcs
Navigate to the EC2 dashboard and launch three instances with the following configuration
- Name: <ec2-name-corresponding-vpc>
- AMI: Amazon Linux 2023 AMI
- Instance: t2.micro
- Key pair (create a new pair and use it for the other two ec2s)
- Network settings (Click Edit)
  - Network name: <network-name>
  - Subnet: <subnet-vpc-corresponding-name>
  - Auto-assign public IP: enable
  - Firewall (security groups): select Create security
    - Security group name: <sg-vpc-ec2-name>
    - Description: <sg-for-ec2-vpc>
    - Inbound security rules
      - Type: SSH
      - Source type: My IP
- Click Launch instance

Instance Test Connection

Connect to each EC2 via SSH
Ping the EC2 by copying the Private IP Address: ping <ec2-private-ipv4-address> and hit enter

Configure VPC Peering Connections

Navigate to the VPC dashboard
Search for Peering connections on the left hand side
Click on Create peering connection
- Name: <pc-vpc-ec2-name>
- Select a local VPC to peer with: vpc-one/vpc-two/vpc-three (one will be the requester and the other will be the accepter)
- Click Create peering connection
- Accept the peering requests in each of the VPC’s dashboard
- Click Accept request

Update Route Tables

Add routes to direct traffic to the peered VPCs using the peering connection IDs
- <vpc-route-table>
- Click Edit routes
- Add in Destination: 10.1.0.0./16 (change 1 for the other vpcs)
  - Target: Peering Connection pc-vpc-ec2-name
- Click Save changes
Configure security group for each instances
- Navigate to EC2 dashboard and go to Security groups under Network and Security on the left hand side
- Copy the security group IDs for each EC2
- Click Edit inbound rules
- Click Add rule
  - Type: All ICMP - IPv4
  - Paste the security group ID in the Source
  - Click Save rules

Test Connectivity

SSH into each instance on your local machine

Security Groups vs Network Access Control List (ACL)

Create a VPC and Subnet

Navigate to the VPC dashboard
Create a VPC with the following details
- my-vpc: CIDR block 10.0.0./16
Go to subnets and create a new subnet with the following config
- Select the VPC you just created
- Subnet name: <subnet-name>
- IPv4 subnet CIDR block: 10.0.1.0./24
Create an Internet Gateway with the tag my-igw
Click on the route table ID and then Edit routes
- Destination: 0.0.0.0/0
- Target: Internet Gateway (choose the Internet gateway corresponding to the route table)
- Click Save changes

Setup NACL

Click on Network ACLs on the left hand side under Security with the EC2 console
Click on the Network ACL ID and click on Edit inbound rules
Modify the first inbound rule
- For the rule number leave it as 100
- Type: HTTP, port 80
- Source: 0.0.0.0/0
Add another rule with the following details
- Rule number: 110
- Type: SSH (22)
- Source: 0.0.0.0/0
click Save changes

Create Security Groups

Navigate to Security groups under Network & Security
Click Create security group
- Name: <sg-name>
- Description: <sg-description>
- VPC: my-vpc
- Add two inbound rules
  - Type: HTTP, Source: 0.0.0.0/0
  - Type: SSH, Source: My IP
- Click Create security group

Launch an EC2 Instance

Name: <ec2-name>
AMI: Amazon Linux 2023 AMI
Instance type: t2.micro
Key pair (create a new one)
Network settings (click edit)
- Network: my-vpc
- Subnet: my-subnet
- Auto-assign public IPL enable
- Firewall: select existing security group
  - Common security groups: my-sg
Click Launch Instance

Testing and Observation

Test the instance by connecting to it via SSH
Modify the outbound rules of NACLs
- Navigate to the VPC dashboard and to Network ACLs
- Click on the NACL for my-vpc/my-subnet and Edit outbound rules
- Modify the outbound rule 1 to Deny and click Save changes
- Try to SSH into the ec2 again
Modify the security group to deny traffic
- Go to Security groups within EC2
- Choose the security group linked to the ec2
- Deny SSH (port 22) access by deleting the rule
- Click Save changes
Revert these changes back to be able to connect to the EC2 instance as normal

Configuring a NAT Instance for Secure Connectivity

NATs (Network Address Translation) instances allow instances in private subnets to communicate with the Internet without exposing inbound connections

Set Up Network Configurations

Navigate to the VPC dashboard via AWS Management Console
Click Create VPC
Resource to create: VPC only
Name: <vpc-name>
CIDR block: 10.0.0.0/16
Tenancy: default
Click Create
Create subnets
On the left of the VPC dashboard under Virtual private cloud click Subnets
Subnet Configurations
- Public subnet
  - VPC ID: <public-vpc-id>
  - Subnet name: <public-vpc-subnet-name>
  - Availability Zone: select AZ from list
  - IPv4 subnet CIDR block: 10.0.1.0/24
  - Add new subnet (to create a private subnet)
- Private subnet
  - Name: <private-subnet-name>
  - IPv4 subnet CIDR block: 10.0.2.0/24
  - AZ: select the same AZ as the public subnet
  - Click Create
Create an Internet Gateway
- In the VPC dashboard, on the left under Virtual private cloud, click on Internet gateway
- Click Create Internet Gateway
- Name: <internet-gateway-name>
- Click Create
- Attach the Internet Gateway to the VPC
Create a new route table for the public subnet
- Under Virtual private cloud select Route tables
- Click Create route table
- Name: <public-route-table-name>
- VPC: <previously-created-vpc>
- Click Create route table
- Edit routes: add route 0.0.0.0/0 to target <internet-gateway-name>
- Click Save changes
- Edit explicit subnet associations in the Subnet association tab and associate <public-subnet-name>
Create a new route table for the private subnet
- Edit explicit subnet association in the Subnet associate tab and associate <private-subnet-name>

Launch Instances

Public subnet instance
- Name: <public-subnet-ec2>
- AMI: Amazon Linux 2023 AMI
- Instance type: t2.micro
- Create new key pair
- Network settings
  - VPC: previously created vpc
  - Subnet: previously created public subnet
- Enable Auto-assign public IP
- Firewall: select create security group
  - Security group name: <nat-instance-public-security-group>
  - Description: <nat-instance-public-sg-description>
  - Security group rules: allow SSH (port 22) from My IP and HTTP/HTTPS (port 80/port 443) from anywhere
- Launch instance
Private subnet instance
- Name: <private-subnet-ec2>
- AMI: Amazon Linux 2023 AMI
- Instance type: t2.micro
- Use same key pair as public subnet instance
- Network settings
  - VPC: previously created vpc
  - Subnet: previously created private subnet
- Firewall: select create security group
  - Security group name: <nat-instance-private-security-group>
  - Description: <nat-instance-private-sg-description>
  - Inbound security group rules: allow SSH (port 22) from public-nat-instance-security-group
- Launch instance

Configure NAT Instance

SSH into the public subnet instance
Run the follow commands to enable IP forwarding and configure NAT
- Create a file using vi or vim: sudo vi /etc/sysctl.d/custom-ip-forwarding.conf
- Next: net.ipv4.ip_forward=1
- Save and exit (:wq!)
- Then run the following: sudo sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
- Install the iptables: sudo yum install iptables-services -y
- Take note of the name of the private network interface: netstat -i
- Use it for the following command:
```
sudo iptables -t nat -A POSTROUTING -o enX0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o enX0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o enX0 -j ACCEPT
sudo service iptables save
sudo service iptables restart
```
In EC2, navigate to the NAT instance
- Click on Actions, Networking, Change source/destination check
- Check the box under Source/destination checking with the label Stop
Update the route table of the private subnet, destination 0.0.0.0/0 and the target instance
Update the security for the NAT instance
- Type: ICMP - IPv4
- Source: 10.0.2.0/24

Access the Private Instance

Copy the private key pair to the NAT instance within local machine
Paste the following command

scp -i <your_NAT_Instance_Key_Pair> <Your_Private_Instance_Key_Pair> ec2-user@<public_IP_address_of_NAT_Instance:/home/ec2-user/

SSH into the instance
From the NAT instance, change the permission of the .pem key pair file
- sudo chmod 400 MyKeyPair.pem
SSH into the private instance: ssh -i MyKeyPair.pem ec2-user@<PrivateInstance-Private-IP>
Ping 8.8.8.8 (Google)

Managing Prefix Lists

A set of one or more CIDR blocks to maintain security groups and route tables
Customer managed: created/managed by you and shared with other AWS accounts
AWS managed: provided by AWS for service related IP ranges (cannot be modified or shared)

Create a VPC Managed Prefix List

Navigate to VPC and select Manage prefix lists from under Virtual private cloud on the left hand side
- Name: <prefix-list-name>
- Maximum number of entries: 1
- Prefix list entries
  - Click Add entry
  - CIDR blocks: 10.0.0.0/16
- Click Create prefix list

Use the Prefix List in a Security Group

Navigate to EC2 and select Security Groups under Network & Security
Click on Create security group
- Security group name: <sg-name>
- Description: <sg-description>
- VPC: select available vpc
- Inbound rules (click Add rule)
  - Type: SSH
  - Source: prefix list
  - Select previously created prefix list
  - Click Create security group

Use the Prefix List in a Route Table

Go back to the VPC dashboard and click on Route tables under Virtual private cloud on the left and click on Create route table
Configurations
- Name: <rt-name>
- VPC: select available vpc
- Click Create route table
Click Edit routes
- Click Add route and specify Destination as prefix list
- Set Target to Internet Gateway
- Click Save routes to update route table

Amazon S3 Access Point with VPC Restriction

Access points allow you to create multiple points to gain access to a bucket instead of bucket policies
- You can have access points for users, applications or teams
VPC Network Origin secures the data by only allowing requests from a vpc to grant access to the S3 bucket

Create a VPC

Click CreateVPC
Resource to create: VPC only
Name: <vpc-name>
CIDR block: 10.0.0.0/16
Tenancy: default
Click Create VPC

Create a S3 bucket

Create a bucket with a unique name in S3

Create an Access Point with the VPC as Network Origin

Within S3, go to Access Points (on the left)
Click Create Access Point
Configurations
- Provide a unique name for the access points
- Under Bucket, select Choose a bucket in this account
  - Click on Browse S3 and select the bucket you created earlier
- Under Network origin, select VPC
  - VPC ID
- Scroll down and click Create access point