This lab walks you through the steps to understand the difference between stateful (Security group) and stateless (Network ACL) firewall.
You will practice the lab using VPC and EC2.
Duration: 60 minutes
AWS Region: US East (N. Virginia)
Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule.
If you allow an incoming port 22, the outgoing port 22 will be automatically opened.
Inspects packets in the context of their traffic flow, allows you to use more complex rules, and allows you to log network traffic and to log Network Firewall firewall alerts on traffic.
Stateful rules consider traffic direction.
Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule.
If you allow an incoming port 22, you would also need to apply the rule for outgoing traffic.
Inspects each packet in isolation, without regard to factors such as the direction of traffic, or whether the packet is part of an existing, approved connection. This engine prioritizes the speed of evaluation. It takes rules with standard 5-tuple connection criteria.
In this lab, we will be creating a Custom VPC with a public subnet and launch an EC2 instance in that VPC.
First we will understand the Security group, Inbound and outbound rules.
Next we will understand the Network ACL, Inbound and outbound rules.
Launching Lab Environment.
Create an Amazon VPC.
Create a Public subnet.
Create and attach an Internet Gateway.
Create a Public Route Table and associate it with the subnet.
Add the public Route in the Route table.
Create a security Group.
Launch an EC2 instance.
Understand the security group rules.
Understand the NACL rules.
Validation of the lab.