AWS Networking - NACL Configuration for Web Server Hosting on EC2 Instance
Question
You have a web server hosted on an EC2 Instance.
The subnet hosting the EC2 Instance has the following NACL attached INBOUND RULES: Rule # Type Protocol Port Range Source Allow / Deny 100 HTTP(80) TCP(6) 80 0.0.0.0/0 ALLOW 101 HTTPS(443) TCP(6) 443 0.0.0.0/0 ALLOW OUTBOUND RULES: Rule # TYPE Protocol Port Range Destination Allow / Deny 200 HTTP(80) TCP(6) 80 0.0.0.0/0 ALLOW 201 HTTPS(443) TCP(6) 443 0.0.0.0/0 DENY 1000 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW * ALL Traffic ALL ALL 0.0.0.0/0 DENY What happens when a request comes from the internet to the webserver on port 80?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
Rules are evaluated starting with the lowest numbered rule.
As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that may contradict it.
Hence when the request comes from the internet , Rule no 100 will match for the port 80 request.
As a packet comes to the subnet, we evaluate it against the ingress rules of the ACL the subnet is associated with (starting at the top of the list of rules, and moving to the bottom)
Here's how the evaluation goes if the packet is destined for the SSL port (443)
The packet doesn't match the first rule evaluated (rule 100)
It does match the second rule (110), which allows the packet into the subnet.
If the packet had been destined for port 139 (NetBIOS), it doesn't match any of the rules, and the * rule ultimately denies the packet.
You might want to add a DENY rule in a situation where you legitimately need to open a wide range of ports, but there are certain ports within that range you want to deny.
Just make sure to place the DENY rule earlier in the table than the rule that allows the wide range of port traffic.
For more information on NACL's please see the below link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
When a request comes from the internet to the webserver on port 80, the Network Access Control List (NACL) attached to the subnet hosting the EC2 instance will be evaluated to determine whether the request should be allowed or denied.
The NACL has inbound and outbound rules that specify which traffic is allowed or denied to enter or leave the subnet. The inbound rule #100 matches the request, which allows HTTP traffic (protocol TCP(6)) on port 80 from any source IP address (0.0.0.0/0) to enter the subnet. Therefore, the request will be allowed because of Rule no. 100.
Outbound rule #201, on the other hand, denies HTTPS traffic (protocol TCP(6)) on port 443 to leave the subnet to any destination IP address (0.0.0.0/0). However, this rule does not affect inbound traffic coming from the internet to the webserver.
Outbound rule #200 allows HTTP traffic (protocol TCP(6)) on port 80 to leave the subnet to any destination IP address (0.0.0.0/0). This rule does not affect inbound traffic coming from the internet to the webserver.
The default inbound rule #1000 allows all traffic (all protocols and port ranges) from any source IP address (0.0.0.0/0) to enter the subnet. This rule does not affect the incoming HTTP traffic on port 80, as it has already been allowed by rule #100.
The default outbound rule * denies all traffic (all protocols and port ranges) to leave the subnet to any destination IP address (0.0.0.0/0). This rule does not affect the outgoing HTTP traffic on port 80, as it has already been allowed by rule #200.
Therefore, the correct answer is A. The request will be allowed because of Rule no. 100 which matches the request.
