Control ports, protocols, and network traffic on AWS

Task Statement 1.2: Design secure workloads and applications.

📘AWS Certified Solutions Architect – (SAA-C03)

1. Why controlling ports, protocols, and network traffic matters on AWS

In AWS, your applications and workloads communicate over a network. This can be internal (within AWS) or external (to the internet). Controlling which ports, protocols, and traffic are allowed is key to security because:

  • Unrestricted traffic can let attackers reach your systems.
  • You might want only specific services to communicate with each other.
  • Compliance standards require controlling network access.

Think of it as deciding who can talk to your servers and how they can talk.

2. Key AWS concepts for controlling network traffic

AWS provides several tools to manage network traffic. The main ones are:

a) Security Groups (SGs)

  • Acts as a virtual firewall for your EC2 instances (virtual servers).
  • Controls inbound (incoming) and outbound (outgoing) traffic.
  • Works at the instance level.
  • Rules are stateful, which means:
    • If you allow inbound traffic on a port, the response traffic is automatically allowed back.
  • Rules are defined by:
    • Protocol: TCP, UDP, ICMP.
    • Port range: Which port or ports are open.
    • Source/destination: Which IPs or networks can connect.

Example for IT context:

  • You have a web server on EC2.
  • You allow TCP port 80 (HTTP) from any IP (0.0.0.0/0) for users to access your website.
  • You allow TCP port 22 (SSH) only from your corporate office IP so only admins can log in.

b) Network Access Control Lists (NACLs)

  • Another layer of firewall at the subnet level.
  • Controls inbound and outbound traffic.
  • Rules are stateless, meaning:
    • If you allow inbound traffic, you must also allow outbound traffic explicitly.
  • Uses allow and deny rules based on:
    • Protocol, port, IP range.

Key difference from Security Groups:

  • Security Groups = instance level (stateful)
  • NACLs = subnet level (stateless)

Example for IT context:

  • You have a subnet for databases.
  • You deny all inbound traffic except from your application servers’ subnet.
  • Helps prevent direct internet access to databases.

c) VPC Flow Logs

  • Captures information about traffic going in and out of your VPC.
  • Helps you monitor network activity and detect suspicious traffic.
  • Useful for troubleshooting blocked connections or security audits.

d) AWS Firewall Manager

  • Helps centrally manage security policies across multiple AWS accounts.
  • Ensures consistent port/protocol restrictions across large environments.

3. Understanding ports and protocols

To control traffic, you must understand common ports and protocols used in IT:

ProtocolPortUsage
TCP22SSH, remote admin to servers
TCP80HTTP, web traffic
TCP443HTTPS, secure web traffic
TCP3306MySQL database
TCP1433Microsoft SQL Server database
UDP53DNS queries
ICMPPing, network diagnostics

Tip for the exam: AWS often asks which port/protocol combination allows a certain type of traffic. Memorize common services.

4. Controlling traffic in AWS: How it works

Step 1: Decide what traffic your application needs

  • Example: A web app:
    • Web users: HTTP/HTTPS (ports 80/443)
    • Admins: SSH (port 22)
    • Database: TCP 3306 (only accessible from web servers)

Step 2: Apply security group rules

  • Inbound: Only allow traffic you need.
  • Outbound: Restrict if necessary (e.g., prevent servers from sending data to internet).

Step 3: Use NACLs for subnet-level control

  • Add extra protection for sensitive subnets like database or backend servers.

Step 4: Monitor with VPC Flow Logs

  • Check logs for unexpected traffic.
  • Identify and block suspicious patterns.

5. Exam focus points

For SAA-C03 exam, remember:

  1. Security Groups vs NACLs
    • Security Groups: stateful, instance-level, allow only.
    • NACLs: stateless, subnet-level, allow/deny.
  2. Ports & Protocols
    • Know common TCP/UDP ports (SSH=22, HTTP=80, HTTPS=443, DB ports).
  3. Limiting access
    • Principle of least privilege: Only open ports needed for the workload.
  4. Monitoring & Auditing
    • Use VPC Flow Logs to review traffic and troubleshoot.
  5. Multiple layers
    • Combine Security Groups + NACLs + VPC Flow Logs for defense-in-depth.

6. Easy way to visualize

Think of AWS network controls as layers around your servers:

[Internet] --> [NACL for subnet] --> [Security Group for EC2] --> [Your server/application]
  • Traffic must pass both NACL and Security Group rules to reach your server.
  • VPC Flow Logs record everything passing through the network.

Summary:
To pass this section of the exam:

  • Know Security Groups vs NACLs.
  • Know common ports and protocols.
  • Understand how to allow/restrict inbound and outbound traffic.
  • Be aware of monitoring traffic with VPC Flow Logs.
  • Apply least privilege principle: only open the ports your application needs.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by