How to do it...

We can create an NACL with no SSH permission as follows:

  1. Go to VPC service in the console.
  2. Click on Network ACLs on the left sidebar.
  3. Click on the NACL for our custom VPC and check its subnet associations. This should contain all the subnets of our VPC that are not associated with any other VPC. 
  4. Click on Create network ACL at the top of the page.
  5. Provide a name in the Name tag field and select our custom VPC from the dropdown for the VPC field:

  1. Click on Create to create the VPC. If we go to the NACL list, we will see that our new NACL doesn't have any subnets associated with it:

  1. Select our new NACL and verify the inbound and outbound rules of the new NACL from its Inbound Rules and Outbound Rules tabs, respectively. 

The inbound rules should be as follows:

The outbound rules should be as follows:

  1. Click on the Subnet associations tab.
  2. Click on Edit subnet associations.
  3. Select our public subnet and click EditSelect our new NACL and check its subnet associations. Our public subnet should now be associated with it:

  1. Try to SSH into our public EC2 instance. The exact command or steps may differ between operating systems. On macOS and most Linux systems, we can use the SSH command, as follows:
    ssh -i aws-sec-cb-demo-kp.pem [email protected]

    The operation should time out, as shown in the following screenshot:

    We can add SSH support to our NACL as follows:

    1. Go back to the VPC Dashboard, click on Network ACLs from the left sidebar, and select our NACL.
    2. Click on Inbound Rules.
    3. Click on Edit inbound rules.
    4. Click on Add Rule.
    5. Enter Rule # as 100, set Type to SSH(22), leave source as 0.0.0.0/0, set Allow/Deny to Allow, and click on Save:

    We have already restricted the security group so that it only allows SSH from our IP. You may also explicitly specify our IP here for more restricted access control.
    If we try to SSH into the EC2 instance now, the SSH will fail as we have not enabled the ephemeral ports for outbound traffic.
    1. Click on Outbound Rules.
    2. Click on Edit outbound rules.
    3. Click on Add Rule.
    4. Enter Rule # as 100, set Type to Custom TCP Rule, set Port Range to 1024 - 65535, set Allow/Deny to Allow, set Destination to 0.0.0.0/0, and click on Save:

    1. Try to SSH into our public EC2 instance. The exact command or steps may differ between operating systems. On macOS and most Linux systems, we can use the SSH command, as follows:
      ssh -i aws-sec-cb-demo-kp.pem [email protected]

      Now, we should be able to SSH successfully.

      In this recipe, we only added one inbound rule and one outbound rule. You can add more rules as required.

      ..................Content has been hidden....................

      You can't read the all page of ebook, please click here login for view all page.
      Reset
      18.117.149.116