AWS EC2, Default NAT, and Security Groups

One of major differences I’ve noticed after making the switch from Linode to AWS is how network security works.

On Digital Ocean, Linode, and most other VPS hosts, when you get an IP the IP is live on the internet. People can ping it directly, in other words (assuming you allow that in your OS itself), and any service you present to the world can be reached at that address.

No so with EC2 instances.

With EC, your OS has an IP (say on eth0 for example), but that’s not the live IP that’s hosting your services. AWS abstracts that IP behind your public IP, which is completely separate.

Security groups

AWS has a concept called “Security Groups”, which happens to be an abysmally bad name in my opinion.

TABLE 1. — Security Groups in AWS.

It’s a bad name because they’re basically firewall rules.

They control what passes from your public address back to your private one—just like with an enterprise or consumer NAT / firewall system.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

Keep in mind, this isn’t the extent of AWS security configuration at all; they have multiple ways of controlling roles, access, permissions, and many other granular areas of security, but those are all named something else.

Security “Groups”, are lists of rules saying what ports are allowed to reach your private IP address, which makes zero sense to me. That name should apply to Roles, or User Groups, or something like that—not to network access control lists.

Anyway, the naming is wonky but the functionality is sound. I love the idea that you could accidentally open up an insecure listening service on your host, and if you hadn’t also passed that port into the box via a Security Group rule (gag), then you still wouldn’t be exposed to the outside world.

I think the reason for this is Amazon knows that developers use AWS to tinker and mess about. And if you aren’t careful you can spin up a bunch of boxes, put some sensitive data on them, open up a port/service, and then maybe forget about them.

Then the first time you hear about it again is when Brian Krebs reaches out to your company for comment because your database is on PasteBin.

So it makes a lot of sense to have this second failsafe of firewall rules, which are fairly locked down by default.

Summary

1. Most VPS providers give you a single, live IP which is both your local IP and your internet IP.

2. EC2 gives you two IPs—one local, and one internet—and you have to open/pass traffic back to your internal one using “Security Groups”, which are basically firewall rules.

Notes

1. I’m not sure the mechanism that’s used by AWS to create this abstraction, i.e., if it’s technically NAT or something else. Either way, it’s definitely performing address translation at the network layer, so I’ll just call it NAT for simplicity’s sake. There are actual NAT Instances that you can set up with AWS as well, though, so there is some distinction they are making.

2. I’ve generally found AWS to be far superior to the hosts I’ve used in the past, and if you’re thinking about switching I highly recommend it. I recommend EC2 vs. Lightsail, since you get to play with more of the AWS toys that way (but it is more expensive).

Related posts:

1. What I Found Most Interesting from Amazon re:invent 2018

2. ./getawspublicips.sh: Know the Public AWS IPs You Have Facing the Internet

3. How I Just Saved $5,500 on my EC2 Bill in 5 Minutes by Switching to a Reserved Instance