Note – Configuring Infrastructure Security – SCS-C02 Study Guide

Note

The Outbound rules tab shows exactly the same fields as the Inbound rules tab. However, the rules affect the traffic going out of the resource rather than coming into the resource associated with the security group.

Table 10.1 presents a quick comparison between how NACLs and security groups operate:

Security Method	Operates At	Rule Types	State	Rule Processing
NACLs	Subnet level	Allow/Deny	Stateless	Rules are read in ascending order until a match is found
Security groups	Resource level	Allow	Stateful	All rules are evaluated before a decision is made

Table 10.1: Comparison of security groups versus NACLs

Now that you have a better understanding of security groups and how to navigate them in the VPC services section of the Management Console, you are ready to take a deeper look at subnets and when to use public versus private subnets.

Public and Private Subnets

Subnets are an essential tool for network administrators to manage large networks. Subnetting is achieved by dividing a network into smaller network segments, each with its unique network address and subnet mask. The subnet mask defines the network and host portions of the IP address, allowing the network to determine which devices are on the same network and which require routing.

Dividing a more extensive network into smaller subnets can also enhance network security. Subnets can help improve network security by isolating different parts of the network and allowing better control over access to network resources. This can help prevent unauthorized access to sensitive data or systems.

Figure 10.23: Subnets dividing a larger /16 CIDR range

A public subnet should be used for resources that the internet will access. A private subnet should be used for resources that will not be accessible from the public internet.

When to Use a Public Subnet

Sometimes, you need to allow those outside your AWS network access to a limited number of resources in your account. These could be situations such as customers accessing an e-commerce platform or a specific API call to gain access to data. The situation could even be as specific as a trusted team member trying to enter the network to perform a task. Yet, their originating source address is outside the AWS and corporate network.

The following are some use cases for public subnets in AWS:

• Bastion hosts: If you need to access instances in private subnets using Secure Shell (SSH) or Remote Desktop Protocol, you can use a bastion host placed in a public subnet. The bastion host is a gateway to secure access instances in the private subnet.
• Public data storage: If you need to store public data that users on the internet can access, then you can place the data storage servers in a public subnet. For example, if you are hosting public files that anyone could download on the internet, you can place the storage servers in a public subnet.
• Public-facing applications: If you are running a web application that needs to be accessed by users on the internet, you would typically place the frontend servers in a public subnet. These servers must be directly accessible from the internet to serve web pages and accept user requests.