AWS EC2 - Networking and Security

Today lets look into some features of EC2 related to networking and security.

Networking:

1. Elastic IP address

Elastic IPs are static IP addresses that are designed for dynamic cloud computing. Elastic IPs will be allocated to the AWS accounts and associated with any EC2 instance ensuring consistent IP address even if the instance is stopped or terminated. EIPs can be disassociated from one instance and reallocated with another instance quickly, which is useful for failover scenarios or IP based whitelisting requirements.

EIPs incur charges if not associated or if associated with a stopped instance to encourage efficient use. They override the default public IP assigned to an instance, providing control over the public IP address your instance use. EIPs can be used across different Availability Zones within the same region, providing flexibility in deploying and managing instances across multiple zones.

2. Elastic Network Interfaces(ENI)

ENIs are virtual network interfaces that can be attached to an instance. You can attach multiple ENIs to an instance for network management purposes. By detaching an ENI from one instance to another , you can quickly recover from instance failures, maintaining network configurations and IP addresses. ENIs can have distinct security groups and access controls, allowing you to isolate network traffic and enhance security for different applications running on the same instance.

3. Security Groups:

Security Groups act as virtual firewalls to control inbound and outbound traffic to instances. They are stateful, meaning that if you allow an incoming request from an IP address, the response to that request is automatically allowed, regardless of outbound rules. Each instance can be assigned one or more security groups, enabling tailored security settings for different applications or services running within your AWS environment.

4. Virtual Private Cloud:

VPC allows you to launch resources into a virtual network that you have defined. We can create a private, isolated network environment for EC2 instances , enhancing security and control over the network configuration.

Security

1. IAM Roles:

IAM Roles provide temporary permissions that an EC2 instance can assume to securely access AWS resources and services. When an instance is launched, we can specify the IAM role to be associated with it. This role is automatically assumed by the instance upon startup, simplifying credential management. IAM roles can be modified at any time to change permissions, and these changes take effect immediately without needing to restart the instance, providing flexible and dynamic access control.

By using IAM roles, you avoid embedding sensitive credentials in your applications or configuration files, reducing the risk of credential exposure and enhancing the overall security of the environment.

2.Security Groups and NACL:

Security Groups control inbound/outbound traffic at the instance level, stateful, rule-based, default deny, ideal for granular control. NACLs are used to control traffic at the subnet level, stateless, rule based, default deny. It provides additional layer of defense applied to subnets.

3. Data Encryption:

EBS volumes can be encrypted and it provides additional layer of security by encrypting data at rest, ensuring that sensitive information stored on EBS volumes remains confidential. Encryption protects EBS volumes from unauthorized access.

To summarize, networking and security in EC2 provides the foundation for building secure, isolated and scalable environments within AWS, allowing to configure and manage network resources and control access to EC2 instances effectively.