History of VPC:

Before VPC the application of different organizations used to be deployed on the same server in a particular availability region. In this case, the major problem arises which is a security vulnerability. If the security system of some organization is not up to the mark and some malware attack happens that will keep the whole organization's data at risk that is being hosted on that server. To solve the problem AWS came up with something called Virtual Private Cloud where AWS will allocate us the logically separated cloud where we can define the configuration ourselves like IP address range, internet gateway, route table, and many more configurations which will secure the safety.

Virtual Private Cloud:

AWS VPC allows users to create a virtual network in the AWS cloud. It provides isolated sections within the cloud where users can launch AWS resources, such as EC2 instances, databases, and Lambda functions, in a logically isolated environment.

VPC allows defining IP address ranges, subnets, route tables, internet gateways, NAT gateways, security groups, network ACLs, and more, providing full control over networking configurations.

Mechanism of AWS VPC:

IP Address Range: When creating a VPC, users define an IP address range using CIDR notation (e.g., 10.0.0.0/16). This range determines the available IP addresses for instances within the VPC.

Subnets: The IP address range of the VPC is divided into subnets across different Availability Zones( AZ ) for fault tolerance. Subnets can be public (accessible from the internet) or private (not directly accessible from the internet).

Internet Gateway: To enable internet access for resources within the VPC, an Internet Gateway is attached to the VPC. It allows outbound traffic to the internet and inbound traffic initiated from the internet.

Route Tables: Route tables control the traffic between subnets and to the internet. An Internet Gateway allows resources in public subnets to access the internet, while a NAT Gateway enables outbound internet access for private subnets.

Security Groups and Network ACLs: Security Groups act as virtual firewalls controlling inbound and outbound traffic at the instance level. Network Access Control Lists (NACLs) operate at the subnet level, filtering traffic before it reaches instances.

AWS Security Group and NACL:

Now we'll use Python to deploy simple demo server applications, and then we'll try accessing it.

Create VPC:

Create Instance and use your custom vpc:

Now we'll use Python to deploy simple demo server applications, and then we'll try accessing it.

python3 -m http.server 8000

Now we can see that our applications are working properly, and we can easily access them. Currently, we've run our application on port 8000 and added a security inbound rule for port 8000.

NACL:

As a DevOps engineer, if I want to block the 8000 port added by the developer in the security group's inbound rule, then I can easily do it using NACL. So, let's try and see how we can accomplish this task.

Here, we can see in the inbound rules that Rule Number 100 has 'Allow' for all traffic, allowing everyone to access the application.

To block access, we just need to do one task: go to edit the inbound rule, select type custom TCP and port number is 8000 for Rule Number 100, change the 'Allow' option to 'Deny'. Then it will work as intended.

Now again refresh the browser and then see server is not working. Because, as a devops engineer i have block this 8000 port from NACL configurations. You can not access .

Now again try to edit this inbound traffic rules and say that 100 rules, type select all traffic and ports range all. Then allow option select . after that i have added another inbould rule , and this rule number is 200, select type custom TCP and port number is 8000 and select Deny option. Finally click save changes button.

Now, if you refresh the browser, you'll see that traffic is still being sent, even though I've denied access to port 8000 in the NACL configuration. This happens because NACL operates based on a specific order, using rule numbers. AWS always checks the lowest numbered rule first. So, even after blocking port 8000, we can still access the applications easily.

So firstly it will take rule number 100, which says all traffic is allowed. This rule gets noticed by AWS, forwarding the requests to the Security Group. In the Security Group, port 8000 is also allowed, so it directly reaches the basic application.

DevOps engineers or network engineers might have logged this specific code. They may have blocked this port due to security concerns. It's not just about the port; you can experiment with various things like IP addresses. Let's say you are worried about some IP address that is coming from XYZ country and the IP address range you can say block the IP address that is coming from the 3.4.5.6 range.

or If you know the specific IPs, you can block ranges like x.x.0.0. You can block by IP address or port range. You can play around with NaCl and security group configuration.