βοΈ 05. EC2 Network Settings
EC2 Network Settings allow you to configure networking components such as VPC, Subnets, Security Groups, and Public IP Addresses during instance creation.
π VPC (Virtual Private Cloud)β
- A VPC is a logically isolated section of the AWS Cloud where you can launch AWS resources.
- It lets you define:
- IP address ranges
- Subnets
- Route tables
- Gateways (Internet or NAT)
- You can use the default VPC or create a custom VPC for more granular control.
- Each VPC spans a single AWS Region and can have multiple subnets across different Availability Zones.
𧩠Subnetβ
- A Subnet is a segment of a VPCβs IP address range where you can place your resources.
- Subnets help divide your network into smaller, manageable sections.
- Each subnet must reside in a single Availability Zone.
- Types of subnets:
- Public Subnet β Connected to the Internet through an Internet Gateway.
- Private Subnet β Isolated from the Internet, often used for databases or internal apps.
- You can create multiple subnets in your VPC for better fault tolerance and organization.
π Security Groupsβ
Security Groups are the foundation of network security in AWS. They act as virtual firewalls that control how traffic is allowed into or out of your EC2 instances.
βοΈ Key Featuresβ
- Security groups contain rules only inbound traffic is denied by default and outbound traffic are authorised by deafult
- Rules can reference:
- IP addresses (IPv4 or IPv6)
- Other security groups
- They manage:
- Inbound traffic β from external sources to the instance
- Outbound traffic β from the instance to external destinations
Security Groups operate at the instance level and act as a firewall that regulates:
- Access to specific ports
- Authorized IP ranges (IPv4 / IPv6)
π Common Ports to Knowβ
| Port | Protocol | Description |
|---|---|---|
| 22 | SSH | Log into a Linux instance |
| 21 | FTP | Upload files to a file share |
| 22 | SFTP | Upload files securely using SSH |
| 80 | HTTP | Access unsecured websites |
| 443 | HTTPS | Access secured websites |
| 3389 | RDP | Log into a Windows instance |
π‘ Tip: By default, all inbound traffic is blocked, and all outbound traffic is allowed β you must explicitly allow inbound connections (like SSH or HTTP).
𧩠Security Groups β Good to Knowβ
-
π Can be attached to multiple instances
A single security group can secure multiple EC2 instances. -
π Locked to a Region / VPC
Security groups are specific to a Region and VPC β they canβt be reused across regions. -
𧱠Exist outside the EC2 instance
Security groups filter traffic before it reaches the instance.
If traffic is blocked, the instance never sees it. -
π§° Best Practice:
Maintain a separate security group for SSH access to simplify management and auditing.
π Referencing Other Security Groupsβ
In AWS, Security Groups can reference other Security Groups instead of using IP addresses. This allows secure communication between specific EC2 instances or tiers (like web β app β database) within your VPC.
π§ How It Worksβ
- Instead of allowing access from a public IP (like
0.0.0.0/0),
you can specify another Security Group as the source or destination in your rule. - This means only instances that belong to that referenced Security Group can communicate.
π‘ Example Use Caseβ
| Layer | Security Group | Purpose | Allows Traffic From |
|---|---|---|---|
| Web Tier | SG-Web | Hosts public web servers | 0.0.0.0/0 (Internet) |
| App Tier | SG-App | Runs backend application servers | SG-Web |
| DB Tier | SG-DB | Hosts databases | SG-App |
β‘οΈ Here,
- Web servers can reach App servers,
- App servers can reach Databases,
- But Web servers cannot directly reach Databases.
𧩠Benefitsβ
- π‘οΈ Enhanced security β avoids exposing internal layers to the internet.
- π Dynamic β if new instances join the referenced group, rules automatically apply.
- π§° Simplifies management β no need to update IPs when instances change.
π¬ Example Rule:
Allow inbound traffic on port3306(MySQL) from security groupSG-App.
This means only EC2 instances in SG-App can connect to the database instance.
π¨ Troubleshooting Tipsβ
| Problem | Likely Cause |
|---|---|
| Application times out | Security group blocking incoming traffic |
| Application shows "connection refused" | Application not running or internal app error |