1
00:00:00,100 --> 00:00:02,050
Okay, so this is going to be more a lecture

2
00:00:02,050 --> 00:00:04,570
around network discussion and security,

3
00:00:04,570 --> 00:00:05,970
but very important because I want you

4
00:00:05,970 --> 00:00:07,850
to really understand what goes on

5
00:00:07,850 --> 00:00:09,900
when a request comes from the clients

6
00:00:09,900 --> 00:00:12,670
and goes all the way to your application.

7
00:00:12,670 --> 00:00:15,420
So sometimes we may want to block an IP address

8
00:00:15,420 --> 00:00:17,570
from a client because it's going to be a bad actor,

9
00:00:17,570 --> 00:00:19,610
maybe it's trying to access our application

10
00:00:19,610 --> 00:00:21,720
and so we want to know the line of defenses

11
00:00:21,720 --> 00:00:25,350
so let's start from this very simple solution architecture

12
00:00:25,350 --> 00:00:27,540
in which we have an EC2 Instance,

13
00:00:27,540 --> 00:00:31,380
in a security group, in a VPC, and that instance

14
00:00:31,380 --> 00:00:33,810
has a public IP so is publicly accessible,

15
00:00:33,810 --> 00:00:37,130
and this is how our clients get into our EC2 Instance.

16
00:00:37,130 --> 00:00:39,270
So say you wanted to block that client,

17
00:00:39,270 --> 00:00:40,980
the first line of defense would be

18
00:00:40,980 --> 00:00:44,500
the network ACL in our VPC, which is at a VPC level,

19
00:00:44,500 --> 00:00:48,440
and in this network ACL, we can create a deny rule

20
00:00:48,440 --> 00:00:50,850
for this client IP address, very simple, very quick

21
00:00:50,850 --> 00:00:53,713
very cheap and the client will just be ejected.

22
00:00:54,580 --> 00:00:57,420
Then for the security group of the EC2 Instance

23
00:00:57,420 --> 00:01:00,790
we can not have deny rules we can only have allow rules,

24
00:01:00,790 --> 00:01:03,000
so if we know that only a subset

25
00:01:03,000 --> 00:01:05,830
of authorized clients can access our EC2 Instance,

26
00:01:05,830 --> 00:01:07,470
then it is good in our security group

27
00:01:07,470 --> 00:01:09,900
to just define a subset of IP

28
00:01:09,900 --> 00:01:10,733
to allow into our EC2 Instance.

29
00:01:10,733 --> 00:01:13,540
But if our application is global

30
00:01:13,540 --> 00:01:16,020
we obviously don't know all the IP addresses

31
00:01:16,020 --> 00:01:17,070
that will access our application

32
00:01:17,070 --> 00:01:20,580
and so the security group here will not be very helpful.

33
00:01:20,580 --> 00:01:23,920
Finally, you could run an optional firewall software

34
00:01:23,920 --> 00:01:27,790
on your EC2 to block from within your software

35
00:01:27,790 --> 00:01:29,190
the request from the client.

36
00:01:31,482 --> 00:01:33,690
Now obviously, if the (stutters) request has already reached

37
00:01:33,690 --> 00:01:35,450
your EC2 Instance, then it will have

38
00:01:35,450 --> 00:01:37,400
to be processed and it will be a CPU cost

39
00:01:37,400 --> 00:01:39,670
to processing that request.

40
00:01:39,670 --> 00:01:41,650
So its a very simple use case but we see already

41
00:01:41,650 --> 00:01:43,160
the difference between a NACL,

42
00:01:43,160 --> 00:01:45,650
a security group and a host firewall.

43
00:01:45,650 --> 00:01:47,790
Now lets push this one step further,

44
00:01:47,790 --> 00:01:51,420
we introduce an Application Load Balancer,

45
00:01:51,420 --> 00:01:55,470
so again this ALB is defined within our VPC

46
00:01:55,470 --> 00:01:57,540
and we still have our EC2 Instance,

47
00:01:57,540 --> 00:01:59,250
but now we have two security groups;

48
00:01:59,250 --> 00:02:00,880
we have the ALB security group

49
00:02:00,880 --> 00:02:03,020
and we have the EC2 security group.

50
00:02:03,020 --> 00:02:04,870
And so in this case our Load Balancer

51
00:02:04,870 --> 00:02:07,010
in this architecture is going to be

52
00:02:07,010 --> 00:02:09,780
in between our clients and our EC2 and it will

53
00:02:09,780 --> 00:02:12,090
do something called Correction Termination

54
00:02:12,090 --> 00:02:14,760
So the clients actually connects to the ALB

55
00:02:14,760 --> 00:02:17,440
which will terminate the connection and initiate

56
00:02:17,440 --> 00:02:21,950
a new connection from the ALB into our EC2 Instance.

57
00:02:21,950 --> 00:02:24,630
In this case, our EC2 security group

58
00:02:24,630 --> 00:02:27,050
must be configured to allow the security group

59
00:02:27,050 --> 00:02:29,570
of the ALB, because the EC2 Instance

60
00:02:29,570 --> 00:02:31,160
can be deployed in a private summit

61
00:02:31,160 --> 00:02:33,420
with a private IP and the source of

62
00:02:33,420 --> 00:02:37,440
the traffic it sees comes from the ALB, not the client,

63
00:02:37,440 --> 00:02:39,310
so from a security group perspective here,

64
00:02:39,310 --> 00:02:41,760
we only allow the ALB security group

65
00:02:41,760 --> 00:02:43,830
and we're safe on this side.

66
00:02:43,830 --> 00:02:46,020
Now for the ALB of the security group...

67
00:02:46,020 --> 00:02:47,600
The security group of the ALB,

68
00:02:47,600 --> 00:02:50,280
we need to allow the clients and again

69
00:02:50,280 --> 00:02:51,800
if we have a range of IP we know

70
00:02:51,800 --> 00:02:53,420
that we can configure the security group,

71
00:02:53,420 --> 00:02:55,230
if it's a global application, we have

72
00:02:55,230 --> 00:02:57,660
to allow everything and in their line of defense

73
00:02:57,660 --> 00:03:00,640
is going to be at the Network ACL level.

74
00:03:00,640 --> 00:03:02,220
Okay, this makes sense and this should

75
00:03:02,220 --> 00:03:04,170
be something you already know.

76
00:03:04,170 --> 00:03:05,990
Now lets look at the NLB in example

77
00:03:05,990 --> 00:03:07,350
and this is something I have not covered yet

78
00:03:07,350 --> 00:03:09,350
in this course because it is an events concept

79
00:03:09,350 --> 00:03:10,960
but for the Network Load Balancer it does

80
00:03:10,960 --> 00:03:13,450
not do Connection Termination.

81
00:03:13,450 --> 00:03:16,710
The traffic; and this is an over-simplification

82
00:03:16,710 --> 00:03:19,610
actually goes through our Network Load Balancer

83
00:03:19,610 --> 00:03:21,440
and so as such there's no such thing

84
00:03:21,440 --> 00:03:24,390
as a security group for a Network Load Balancer,

85
00:03:24,390 --> 00:03:26,810
the traffic is passed through so that means that

86
00:03:26,810 --> 00:03:29,100
the clients originating IP is going

87
00:03:29,100 --> 00:03:31,850
to go all the way to our EC2 Instance

88
00:03:31,850 --> 00:03:34,230
even if our EC2 Instance sits within

89
00:03:34,230 --> 00:03:36,920
a private sublet and has a private IP.

90
00:03:36,920 --> 00:03:39,370
So this can be complicated, but the idea here

91
00:03:39,370 --> 00:03:42,430
is that if we again know the source IPs of all the clients

92
00:03:42,430 --> 00:03:45,400
we can define it in the EC2 security group

93
00:03:45,400 --> 00:03:49,070
but if we are trying to deny one IP address for our clients,

94
00:03:49,070 --> 00:03:52,540
the only line of defense here we have is our Network ACL.

95
00:03:52,540 --> 00:03:54,760
So super important, this can be a difficult concept

96
00:03:54,760 --> 00:03:56,470
to get it but the Network Load Balancer

97
00:03:56,470 --> 00:03:58,230
does not have a security group

98
00:03:58,230 --> 00:04:02,220
and all the traffic goes through it so our EC2 Instance

99
00:04:02,220 --> 00:04:06,270
sees the client public IP at the edge.

100
00:04:06,270 --> 00:04:08,960
Okay, so now lets get back to our simpler case

101
00:04:08,960 --> 00:04:12,090
which was to have the ALB, something we can do

102
00:04:12,090 --> 00:04:16,760
to deny an IP is to install WAF, or Web Application Firewall

103
00:04:16,760 --> 00:04:20,399
now this WAF is going to be a little bit more expensive

104
00:04:20,399 --> 00:04:23,240
because this is an additional service and a firewall service

105
00:04:23,240 --> 00:04:26,530
but in here, we are able to do some complex filtering

106
00:04:26,530 --> 00:04:28,660
on IP addresses and we can establish rules

107
00:04:28,660 --> 00:04:31,040
that will count the requests to prevent a lot

108
00:04:31,040 --> 00:04:32,750
of requests going on at the same time from the clients,

109
00:04:32,750 --> 00:04:36,514
and so we have more power over our security or our ALB.

110
00:04:36,514 --> 00:04:38,860
So WAF is not a service in between your client

111
00:04:38,860 --> 00:04:40,810
and your ALB, it is a service we have installed

112
00:04:40,810 --> 00:04:43,200
on the ALB and we can define a bunch of rules.

113
00:04:43,200 --> 00:04:45,730
So this is one more line of defense.

114
00:04:45,730 --> 00:04:49,150
Similarly if we use CloudFront in front of the ALB,

115
00:04:49,150 --> 00:04:52,240
CloudFront sits outside our VPC, okay?

116
00:04:52,240 --> 00:04:54,850
So as such, our ALB needs to allow

117
00:04:54,850 --> 00:04:57,010
all the CloudFront's public IPs coming from

118
00:04:57,010 --> 00:04:59,900
the edge locations and there's a list of it online,

119
00:04:59,900 --> 00:05:02,310
but that's it, so coming from the ALB,

120
00:05:02,310 --> 00:05:05,470
it does not see the client IP, what it sees

121
00:05:05,470 --> 00:05:08,500
is the CloudFront public IP, and so as such

122
00:05:08,500 --> 00:05:10,300
the Network ACL here which sits at

123
00:05:10,300 --> 00:05:13,750
the boundary of our VPC is not helpful at all

124
00:05:13,750 --> 00:05:18,110
because it can not help us block the client IP address.

125
00:05:18,110 --> 00:05:19,540
And so in this case if we are trying

126
00:05:19,540 --> 00:05:24,200
to block a client from CloudFront we have two possibilities:

127
00:05:24,200 --> 00:05:26,850
say we are attacked by a country; then we can use

128
00:05:26,850 --> 00:05:30,380
the platform's geo-restriction feature to restrict

129
00:05:30,380 --> 00:05:33,870
all the country from our clients to be denied on CloudFront.

130
00:05:33,870 --> 00:05:37,370
Or if there's one specific IP that annoys us

131
00:05:37,370 --> 00:05:41,320
we can again use WAF, or Web Application Firewall

132
00:05:41,320 --> 00:05:44,620
to induce some IP address filtering just like we did before.

133
00:05:44,620 --> 00:05:47,220
Well so as we can see, based on the architecture we have,

134
00:05:47,220 --> 00:05:49,020
we have different lines of defenses

135
00:05:49,020 --> 00:05:51,480
to block an IP address, and they're normal,

136
00:05:51,480 --> 00:05:53,580
once we put everything together it all makes sense,

137
00:05:53,580 --> 00:05:56,020
but I think its so good to show you exactly,

138
00:05:56,020 --> 00:05:58,750
through a diagram what happens from a network perspective

139
00:05:58,750 --> 00:06:00,870
how to properly configure a security group

140
00:06:00,870 --> 00:06:03,630
and where to set up your IP address filtering.

141
00:06:03,630 --> 00:06:05,460
Okay, I hope you understand this lecture,

142
00:06:05,460 --> 00:06:06,360
I hope it makes sense

143
00:06:06,360 --> 00:06:08,310
and I will see you in the next lecture.