7

I'm new to AWS, and I have an instance on EC2 that I would like to restrict to just the IPs in my home network. What is the difference between the subnets and security groups that are associated with a VPC? From my understanding, it is the security group that does the IP address permissions but I'm not too sure what the subnet accomplishes.

Also, how does the network ACL play into this?

https://i.stack.imgur.com/4KYWT.png

Do I specify the allowed IP addresses in source?

EDIT: VPN information

After thinking about it, instead of whitelisting certain external IP addresses, I wanted to make the EC2 instance only accessible when connected with a VPN. So even computers on my home network wouldn't be able to access unless using a VPN. Would this require me to set up a OpenVPN server on EC2 that would access a private subnet?

Also, the EC2 instance would require accessing the internet, would that mean it is under a public subnet instead?

Thanks!

sams
  • 101
  • 2
  • 5

2 Answers2

5

First Question - Security

Security groups are a firewall that runs on the instance hypervisor. Network ACLs are a firewall that runs on the network. You can use either, or both. In theory a NACL reduces host load, but it's likely negligable.

Security groups are stateful, so return traffic is automatically allowed. NACLs require firewall rules for each direction to be specified, including ephemeral ports. Security groups are therefore easier to use.

In your case I suggest you add a security group rule that allows access from your /32 IP for every protocol you require. The IP goes into the rightmost column.

Second Question - VPN

OpenVPN doesn't change the IP address of anything, it can be thought of as a gateway. Your computer connects to the EC2 instance, when then has any access that the EC2 instance has. If we know what you were trying to achieve with a VPN we may be able to give better advice.

Given your updated requirements, I would probably use an EC2 server in a public subnet as a VPN terminator and NAT instance, and a private instance EC2 in a private subnet. Your NACLs and security groups would be set up to allow outgoing internet access via the NAT but deny incoming connections other than from the VPN instance.

I'm not sure if a single instance can be VPN terminator and NAT. I suspect it can.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • just edited my question to give more details about the VPN. Thanks!! – sams Jun 20 '17 at 22:23
  • I've edited my answer. – Tim Jun 20 '17 at 23:05
  • *"I'm not sure if a single instance can be VPN terminator and NAT. I suspect it can."* Definitely can. Not a good practice for production networks, since one security group then controls both access to the Internet and access to the VPN, but technically quite viable. – Michael - sqlbot Jun 21 '17 at 02:06
  • Thanks Michael. I was mostly thinking around source/destination check, but I think it needs to be disabled for both. I agree that best practice would be to have them separate, it's a risk the owner could accept. – Tim Jun 21 '17 at 02:29
0

Yes, you can add either a single IP address, for example 98.138.253.109/32 or a block of IPs like 98.138.253.0/24 on the source column unders "Inbound Rules" tab as shown in your screenshot.

As per your second question, if you setup a OpenVPN on the EC2 instance, you still have to add a inbound rules to allow VPN port (UDP 1194) to be accessible from everywhere you connect to the EC2 instance from.

Having said that, why do you want to setup VPN? Just add rules to allow as many networks/IPs you connect from which I am sure are finite.

Arul Selvan
  • 1,428
  • 13
  • 11
  • Thanks for the response, actually I think the real thing I need is not whitelisting certain IPs on my home network, but restricting the EC2 instance to only be accessible via a VPN. So would this not have anything to do with a security group? – sams Jun 20 '17 at 22:05
  • @ArulSelvan, please keep [RFC-5737](https://tools.ietf.org/html/rfc5737) in mind when you need "example" IP addresses. – Michael - sqlbot Jun 21 '17 at 02:08