Security Groups
- there’s IPv4 DNS and the public IP address for the public
there’s nothing for the private
Let’s check our website is working
case1public instance- copy the public IP address
- or we can take the DNS when it doesn’t matter
case2private instance- there’s nothing on the public ID address
- we can use Private IPs
- there’s no one of accessing that website running on the private one.
- the reason why we were able to access the instance, publicly was that in our security group, we had an inbound rule on port 80.
- Port 80 is what websites run on.
- when we’re accessing through the web browser, we’re allowing my IP here.
- that’s why I was allowed to access it.
- Port 80 is what websites run on.
- let’s change my IP
- I have a VPN
- it’s a service you can buy a lot of people use it so that they can watch Netflix in other regions.
- I have a VPN from brazil shortly once it connects. -> it shouldn’t work, it’s hanging because I’m not using that IP.
- I have a VPN
-> that’s how security groups work for inbound rules.
- for outbound rules, that’s traffic going out to the internet. it’s almost always open like this.
NACL (Network ACL)
we would like to show off how NACLs work compared to security groups.
security groups, by default, only can allow things so everything is denied.
- you’re adding allow rules only
- you can’t add an explicit deny rule.
⭐️ NACLs are very useful, is that you can use it to block a very specific IP addresses or IP ranges. ⭐️
- ⭐️ security groups are associated with the actual EC2 instance
- ⭐️ NACLs are associated with the subnets.
Q. how do we figure out the NACLs?
- A.
in order to block individual IP address, we have to determine what subnet it runs in.
check grab that IP address and paste it.
- it works!
Bastion
- how do we actually get access to the private subnet.
- we have our private EC2 instance
- we don’t have an public IP address on it
- there’s no direct way to gain access to it.
- So we can’t just easily SSH into it. -> this is where we’re gonna need a bastion
- launch new instance
- go to marketplace and type in Bastion.
- use Guacamole Bastion Host
- there’s an associated cost
- they do have a trial version (you can get it without paying anything for it)
- use Guacamole Bastion Host
we’re gonna need a small, this one doesn’t allow you to go into micros. (There’s an assciated cost)
- Configure instance detail
- select the network as private one.
- select the public subnet.
- create a new IAM role and set it
- you need to give it some access so that it can auto discover instances.
- it’s gonna give us permissions to cloud watch and STS
- EC2ReadOnlyAccess & Guaws
- result
- go to marketplace and type in Bastion.
- Grap the public DNS and paste it
- hit hide advanced
- hit allow on the top left
- login default admin
- id : guacadmin
- password : the name of the instance ID
now it has auto discovered the instances which are in the VPC that is launched
- connect it and login, make the shell here
- login : that’s the way to gain access to the private instance.
- before doing something, I’m gonna configure something that’s why we use Bastions (you can see those in setup )
- it’s a hardened instance.
- it does allow you to authenticate via multiple methods
- so you can enable multi factor authentication to use this
- it also has the ability to do screen recordings
- you can do show what people are up to
- we can also use a sessions manager which does a lot of this for us with the exception of screen recording within the AWS.
- login : that’s the way to gain access to the private instance.
Words
- explicit : 明示的
- grab it here : copy it
The copyright of all material here is on this video
https://www.youtube.com/watch?v=Ia-UEYYR44s
This post is just for studying AWS SAA.
Comments powered by Disqus.