1
00:00:00,500 --> 00:00:01,350
Hello and welcome back.

2
00:00:01,350 --> 00:00:09,020
So let's now look at a different thing which is the Nuckolls the network access control lists.

3
00:00:09,390 --> 00:00:17,180
Before I hit here let me go back to the dashboard so you can see here that we have to default network

4
00:00:17,190 --> 00:00:19,980
access lists and these are for that to be.

5
00:00:19,980 --> 00:00:24,780
So if you go in another region and you could check on that you can find only one because by default

6
00:00:24,780 --> 00:00:29,810
you get one security group and one knuckler and one internet gateway in default VPC.

7
00:00:29,950 --> 00:00:30,680
OK.

8
00:00:30,900 --> 00:00:35,630
So you can click here and scroll down into security and then go into Nuckols here.

9
00:00:35,640 --> 00:00:37,680
Either one will lead you to the same thing.

10
00:00:37,950 --> 00:00:42,880
It's always advantageous that you put the tag for easier tracking.

11
00:00:42,890 --> 00:00:46,150
So I would say custom PPC Michael.

12
00:00:46,230 --> 00:00:52,350
And here it is default the PC of course I found out again through the attacks.

13
00:00:52,380 --> 00:00:53,030
OK.

14
00:00:53,430 --> 00:00:54,950
Now then it took control.

15
00:00:54,960 --> 00:00:58,000
What's the difference between a security group and the network controllers.

16
00:00:58,080 --> 00:01:03,100
The networks control list or the Nachle it operates at the subnet level.

17
00:01:03,240 --> 00:01:04,860
So it's like the gate to the subnet.

18
00:01:04,890 --> 00:01:10,320
Anything coming into the subnet is filtered anything going out of the subnet is filtered.

19
00:01:10,320 --> 00:01:12,650
How about the traffic that is within the subnet.

20
00:01:12,770 --> 00:01:16,480
If it doesn't cross the subnet boundary then I kill has nothing to do with it.

21
00:01:16,490 --> 00:01:21,090
So security groups will be the way to control that.

22
00:01:21,140 --> 00:01:23,350
So I have the default would be seen.

23
00:01:23,570 --> 00:01:24,220
So I haven't.

24
00:01:24,280 --> 00:01:29,970
Michael ID tags that we put here associated with three subnets which are the three subnets.

25
00:01:29,970 --> 00:01:30,420
Exactly.

26
00:01:30,420 --> 00:01:36,420
These are the default subnets that have been created by default in the three availabilities zones in

27
00:01:36,420 --> 00:01:45,680
the Ohio region and that all of that is done automatically by us when you created the account default.

28
00:01:45,720 --> 00:01:52,440
Yes it is the default because it's in the default Ribisi and it's created by default and we see the

29
00:01:52,440 --> 00:01:54,270
BBC in the name of the BBC.

30
00:01:54,330 --> 00:01:54,770
Great.

31
00:01:54,780 --> 00:02:00,340
And if you're going to have some assassinations you'll find that original ones that were created that

32
00:02:00,420 --> 00:02:08,450
31 0 31 16 31 32 inbound rules what is allowed by default.

33
00:02:08,570 --> 00:02:09,280
Let's see.

34
00:02:09,300 --> 00:02:12,160
So this is a default Nakul in a default PC.

35
00:02:12,210 --> 00:02:13,020
Right.

36
00:02:13,020 --> 00:02:13,800
So what do we have.

37
00:02:13,800 --> 00:02:19,020
We have a rule number and that number is 100 all traffic.

38
00:02:19,200 --> 00:02:21,860
And I'm talking about protocol.

39
00:02:21,910 --> 00:02:25,090
All report range all sorts all allow.

40
00:02:25,140 --> 00:02:27,480
So allow all the inbound traffic.

41
00:02:27,540 --> 00:02:28,920
And what is this rule.

42
00:02:28,920 --> 00:02:31,810
This rule is a default rule that you cannot change or delete.

43
00:02:31,800 --> 00:02:36,230
Let's striked see here what what is the one that appears only this one can I delete it.

44
00:02:36,270 --> 00:02:43,200
Yes you can have the other one the one that has the asterisk on the left side you cannot that's an explicit

45
00:02:43,380 --> 00:02:45,390
deny any.

46
00:02:45,390 --> 00:02:49,120
So in the security group there is an implicit deny any at the end you don't see it.

47
00:02:49,120 --> 00:02:49,760
It's not here.

48
00:02:49,800 --> 00:02:55,860
But if nothing is allowed for that for a specific traffic and then it hits the bottom it's going to

49
00:02:55,860 --> 00:02:57,090
be denied.

50
00:02:57,120 --> 00:03:02,710
One thing we did not mention is security or security will only allow traffic.

51
00:03:02,730 --> 00:03:05,370
You cannot have an explicit denial.

52
00:03:05,700 --> 00:03:09,430
You can only have allow or permit truth in that.

53
00:03:09,450 --> 00:03:10,050
Not cool.

54
00:03:10,050 --> 00:03:13,050
You should have here an ID for that.

55
00:03:13,110 --> 00:03:16,340
So let's say 10 custom disappeared and fine for strange.

56
00:03:16,350 --> 00:03:20,940
I'm going to put 22 source is I can do just for the sake of it.

57
00:03:20,940 --> 00:03:23,090
Now any and what you want to do.

58
00:03:23,130 --> 00:03:25,120
I have two options and nobody died.

59
00:03:25,230 --> 00:03:29,030
So here you have the options in the security group you can only allow you can are denied.

60
00:03:29,040 --> 00:03:31,200
So if anything is not allowed it will be denied.

61
00:03:31,290 --> 00:03:36,340
But here you can have a rule that is allow a rule that is denied configured in the same knuckle.

62
00:03:36,480 --> 00:03:37,070
OK.

63
00:03:37,350 --> 00:03:39,660
So that's what we have here to save.

64
00:03:39,990 --> 00:03:40,810
And this will be saved.

65
00:03:40,810 --> 00:03:42,900
So here I have a new rule.

66
00:03:42,990 --> 00:03:46,180
I removed the one that used to be 100 and I put this new.

67
00:03:46,300 --> 00:03:46,610
Right.

68
00:03:46,680 --> 00:03:47,050
OK.

69
00:03:47,100 --> 00:03:50,490
Now if I want to add another rule what is the number that I should pick here.

70
00:03:50,490 --> 00:03:52,530
So these are real numbers right.

71
00:03:52,530 --> 00:03:58,890
Leave a gap so it'll be a set of commands that you leave 50 or 100 big numbers so you can if you want

72
00:03:58,890 --> 00:04:01,380
to edit it later on you can insert tools in between.

73
00:04:01,380 --> 00:04:05,450
So you always need to think that way when you configuring the rules here.

74
00:04:05,460 --> 00:04:07,620
And of course you can and different rules.

75
00:04:07,620 --> 00:04:09,300
And then at the end you just click safe.

76
00:04:09,300 --> 00:04:10,980
And what did they remove from here.

77
00:04:10,980 --> 00:04:13,520
I removed the rule that said 100.

78
00:04:13,620 --> 00:04:16,920
And it was all source all allow.

79
00:04:17,010 --> 00:04:20,380
That was the case all traffic all Port Orange.

80
00:04:20,400 --> 00:04:21,420
So that's now.

81
00:04:21,450 --> 00:04:22,010
Exactly.

82
00:04:22,020 --> 00:04:25,240
It looks like that they feel fine about the default outbound.

83
00:04:25,260 --> 00:04:30,060
And now remember we're looking at the default VBC default Michael outbound a lot everything.

84
00:04:30,090 --> 00:04:31,220
And then the explosive device.

85
00:04:31,220 --> 00:04:35,220
So this truly you cannot change deny or edit or do anything about it.

86
00:04:35,220 --> 00:04:35,540
Right.

87
00:04:35,550 --> 00:04:42,000
And the sudden association we talked about already let's look at the default not kill for the custom

88
00:04:42,000 --> 00:04:42,890
of the PC.

89
00:04:42,990 --> 00:04:46,570
Exactly the same in-bound allow everything outbound and everything.

90
00:04:46,620 --> 00:04:47,640
So here is the inbound.

91
00:04:47,650 --> 00:04:51,400
Here is the outbound they look exactly the same subnet associations.

92
00:04:51,690 --> 00:04:56,360
Here is only one subnet Y because in the custom BPC I only had one subnet.

93
00:04:56,370 --> 00:05:02,160
So now everything is allowed inbound and outbound for default get regardless what the BBC type is let's

94
00:05:02,160 --> 00:05:10,490
create one that is custom let's put it in the custom PC and we'll call it custom Nakul custom BBC and

95
00:05:10,520 --> 00:05:10,930
period.

96
00:05:10,980 --> 00:05:13,830
Let's move to that one and see what we have.

97
00:05:13,830 --> 00:05:16,010
Click on that one custom custom BPC.

98
00:05:16,020 --> 00:05:17,800
What you have on the Mount.

99
00:05:17,940 --> 00:05:18,870
Nothing is allowed.

100
00:05:18,870 --> 00:05:20,390
I wanted the explicit denied.

101
00:05:20,460 --> 00:05:21,300
Nothing is allowed.

102
00:05:21,300 --> 00:05:22,110
How about the are.

103
00:05:22,230 --> 00:05:23,410
Nothing is allowed.

104
00:05:23,410 --> 00:05:27,360
OK so this is a custom Nakul in a custom VBC.

105
00:05:27,360 --> 00:05:29,680
How about defending the default VPC will not do it.

106
00:05:29,680 --> 00:05:30,380
It's the same.

107
00:05:30,390 --> 00:05:34,830
So Nuckols default regardless of the VPC type is inbound and outbound.

108
00:05:34,860 --> 00:05:41,230
All about Nuckols custom Nakul regardless what the BBC type is inbound and outbound all the night.

109
00:05:41,360 --> 00:05:45,660
So you have to add that about security groups you create a custom to give it to you.

110
00:05:45,720 --> 00:05:48,330
You are attached to an invite and easy to instance.

111
00:05:48,360 --> 00:05:51,210
Nothing is allowed on say but outbound everything is allowed.

112
00:05:51,450 --> 00:05:58,000
OK so a default default defaults pay attention if you're not using the default VPC because in the default

113
00:05:58,000 --> 00:06:00,120
VBC everything is cool.

114
00:06:00,150 --> 00:06:05,200
Security Groups everything from within the same security group is allowed in but outbound.

115
00:06:05,220 --> 00:06:08,700
Everything is about Nuckols everything is allowed inbound and outbound.

116
00:06:08,730 --> 00:06:10,210
That's the default Ribisi.

117
00:06:10,230 --> 00:06:17,370
So we need to be careful especially if you're launching your clients or your environment in a default

118
00:06:17,480 --> 00:06:23,010
VBC you need to be extra careful for the security because security is everything you're compromised

119
00:06:23,040 --> 00:06:24,630
everything is compromised.

120
00:06:24,630 --> 00:06:26,310
Life is not good.

121
00:06:26,330 --> 00:06:29,890
Knuckles are state less different than the security groups.

122
00:06:29,940 --> 00:06:35,070
So if something is allowed on the inbound What is the guarantee the same traffic will be allowed on

123
00:06:35,070 --> 00:06:35,790
the outbound.

124
00:06:35,820 --> 00:06:36,550
Nothing.

125
00:06:36,900 --> 00:06:37,510
Zero.

126
00:06:37,680 --> 00:06:42,470
It has to be explicitly allowed on the out but what if something is allowed on the inbound.

127
00:06:42,630 --> 00:06:44,780
And now I have the response for the same thing.

128
00:06:44,790 --> 00:06:45,600
Is it allowed.

129
00:06:45,600 --> 00:06:46,110
No.

130
00:06:46,200 --> 00:06:48,060
STATE less not stateful.

131
00:06:48,060 --> 00:06:52,750
One more thing that I always get asked about the same question is it.

132
00:06:52,800 --> 00:06:54,000
Let's see what we have to say.

133
00:06:54,000 --> 00:06:54,810
Add another one.

134
00:06:54,900 --> 00:07:05,360
I am going to add rule 120 and it's a custom ICMP rule and I want to define a call request here.

135
00:07:05,400 --> 00:07:06,950
And the source is any.

136
00:07:06,960 --> 00:07:08,320
So in this subnet this is it.

137
00:07:08,370 --> 00:07:10,020
Now we're talking about the subnet left right.

138
00:07:10,020 --> 00:07:18,120
If anything is coming into the subnet from anywhere and the type of the traffic was ICMP and it is a

139
00:07:18,140 --> 00:07:23,170
request or someone from the outside is trying to ICMP ping something inside the subnet.

140
00:07:23,190 --> 00:07:24,510
This is allowed.

141
00:07:24,750 --> 00:07:26,310
I can of course deny it as well.

142
00:07:26,430 --> 00:07:26,720
OK.

143
00:07:26,760 --> 00:07:27,620
This is allowed.

144
00:07:27,900 --> 00:07:32,000
So this is something coming from the outside going into the subnet a request is allowed.

145
00:07:32,010 --> 00:07:39,570
Is there any guarantee that if ICMP request is coming from outside from within the submit to the outside

146
00:07:39,690 --> 00:07:40,660
would it be allowed.

147
00:07:40,770 --> 00:07:44,580
Let's check for let's say this one but I have nothing.

148
00:07:44,640 --> 00:07:47,630
So despite the fact I have this I have nothing allowed here.

149
00:07:47,730 --> 00:07:48,660
Is it stateful.

150
00:07:48,660 --> 00:07:49,190
No.

151
00:07:49,320 --> 00:07:52,220
So that means if there is no explicit rule here it is denied.

152
00:07:52,260 --> 00:07:57,690
So please if you get in the exam if you are going through the guided practice and you have a database

153
00:07:57,750 --> 00:08:04,380
able to ping a web server that means the ICMP echo request when it comes out from the database is allowed

154
00:08:04,500 --> 00:08:10,680
through the security group on the database outbound allowed from the subnet of the database.

155
00:08:10,710 --> 00:08:18,230
Outbound comes into that not kill or the subnet of that web inbound that is ICMP echo request.

156
00:08:18,240 --> 00:08:18,620
OK.

157
00:08:18,690 --> 00:08:19,520
This is successful.

158
00:08:19,530 --> 00:08:22,300
So if you request a call reply Everything is fine.

159
00:08:22,310 --> 00:08:23,070
How about.

160
00:08:23,070 --> 00:08:24,200
So this is finished.

161
00:08:24,210 --> 00:08:29,050
Now I'm trying to ping from the web to the database and it's not working.

162
00:08:29,070 --> 00:08:30,090
I get a lot of questions.

163
00:08:30,090 --> 00:08:31,170
How come it's not working.

164
00:08:31,200 --> 00:08:33,740
ICMP was allowed from the Debby's too.

165
00:08:33,780 --> 00:08:36,180
What that means from where it is is also allowed.

166
00:08:36,180 --> 00:08:36,710
No it's not.

167
00:08:36,720 --> 00:08:42,870
It doesn't mean it's also allowed because as you can see here the Nakheel can denied a request from

168
00:08:43,050 --> 00:08:48,810
Web to database but allowed from databases to have and it can allow it could apply from Web to database.

169
00:08:48,870 --> 00:08:53,150
But then I would reply from the as to where this is directional.

170
00:08:53,160 --> 00:08:58,440
The security groups and the Nikhil's are directional so it is very important to understand from where

171
00:08:58,440 --> 00:08:59,090
to where.

172
00:08:59,280 --> 00:09:04,470
And then you put the rules in the path and that Adem traffic needs to be defined on that as well because

173
00:09:04,470 --> 00:09:10,560
security groups are fine if it is allowed forward returned will be allowed automatically regardless

174
00:09:10,560 --> 00:09:11,320
what the rules are.

175
00:09:11,370 --> 00:09:12,060
OK.

176
00:09:12,060 --> 00:09:13,500
So keep that in your mind.

177
00:09:13,530 --> 00:09:16,170
All right let's take a break now and I will see you after the.