Tracing a Packet from my PC to my AWS EC2 Instance
Harsh Mishra
Posted on September 2, 2024
Journey of a Packet: From My PC to My AWS EC2 Instance
Ever wondered how your data gets from your computer to an AWS EC2 instance? It's a journey that travels through various networks and security layers. Let's walk through each step and see how your packet makes its way to the cloud.
1. Your Computer (Client)
- Operating System and Network Stack: Your packet originates from an application on your computer, using the TCP/IP stack to encapsulate the data.
- Network Interface Card (NIC): The packet is sent from your computer's network interface, which may use an Ethernet or Wi-Fi connection.
2. Local Network
- Local Router/Modem: The packet is routed through your home or office router/modem. The router directs the packet to the appropriate gateway for external communication.
- Internet Service Provider (ISP): Your packet travels through your ISP's network, which provides the necessary routing to the wider internet.
3. Internet
- Internet Backbone: The packet traverses the internet's backbone, potentially crossing multiple routers, ISPs, and internet exchanges. BGP (Border Gateway Protocol) is used to determine the most efficient path across these networks.
- Destination Routing: The packet is routed toward the destination IP, which is associated with AWS's global infrastructure.
4. AWS Edge Location
- AWS Global Accelerator/CloudFront (Optional): If you’re using services like AWS Global Accelerator or CloudFront, the packet might first hit an edge location, which optimizes routing and latency by directing it to the best-performing AWS region.
5. AWS Region
- AWS Regional Edge Routers: The packet enters the AWS region through regional edge routers, which handle incoming traffic at the regional level.
6. VPC (Virtual Private Cloud): Entering Your Own Cloud Network
Upon entering the AWS region, the packet is directed to your Virtual Private Cloud (VPC)—a logically isolated section of the AWS cloud that you control. The first stop within the VPC is the Internet Gateway (IGW), a critical component that allows your VPC to communicate with the internet.
- Internet Gateway (IGW): The packet first reaches the Internet Gateway, which provides a connection between your VPC and the internet. The IGW ensures that the packet is routed correctly into your VPC.
- Route Table: The packet is then routed according to the VPC's route table, which directs it to the appropriate subnet.
7. Subnet
Within the VPC, the packet must pass through a Subnet—a subdivision of your VPC that represents a specific range of IP addresses within a single Availability Zone (AZ). Before the packet can enter the subnet, it encounters a Network Access Control List (NACL).
- Network ACL (NACL): The packet passes through a Network Access Control List (NACL) associated with the subnet. NACLs are stateless firewalls that control inbound and outbound traffic at the subnet level. The packet is checked against the NACL rules to determine if it should be allowed or denied.
- Subnet Association: The packet is directed to the specific subnet within an Availability Zone where the target EC2 instance resides.
8. Security Group
After passing through the subnet’s NACL, the packet approaches the last line of defense before reaching its destination—the Security Group associated with the EC2 instance.
- Security Group Rules: The packet must pass through a security group associated with the EC2 instance. Security groups are stateful, meaning they automatically allow return traffic if the outbound request was permitted. The packet is checked against the security group's inbound rules.
9. EC2 Instance
- Elastic Network Interface (ENI): The packet reaches the Elastic Network Interface attached to the EC2 instance. The ENI represents the virtual network interface for the instance and contains one or more private IP addresses.
- Operating System and Network Stack: The packet is handed off to the EC2 instance’s operating system, where it is processed by the instance’s TCP/IP stack.
- Application Layer: Finally, the packet reaches the target application or service running on the EC2 instance, completing its journey.
Summary:
- Your Computer (Client)
- Local Network (Router/Modem, ISP)
- Internet (ISPs, Internet Backbone)
- AWS Edge Location (Optional)
-
AWS Region
- Edge Routers
-
VPC (Virtual Private Cloud)
- Internet Gateway (IGW)
- Route Table
-
Subnet
- Network ACL (NACL)
- Security Group
-
EC2 Instance
- ENI (Elastic Network Interface)
- OS and Application
Reference
AWS Regions
- Definition: AWS Regions are geographically distributed locations that house AWS data centers.
-
Geographic Locations: Examples include
us-east-1
(Northern Virginia),eu-west-1
(Ireland), andap-southeast-1
(Singapore). - Isolation: Each region operates independently to ensure fault tolerance and isolation from failures in other regions.
-
Availability Zones (AZs): Each region contains multiple AZs, such as
us-east-1a
andus-east-1b
in theus-east-1
region, which are physically separated data centers within the region. - Purpose: Regions provide high availability, disaster recovery, and allow compliance with local data sovereignty regulations by enabling data storage and processing within specific geographic areas.
VPC (Virtual Private Cloud)
- Definition: A VPC is a logically isolated section of the AWS cloud where you can define and control your virtual network.
- Region-Specific: Each VPC is tied to a specific AWS region.
-
CIDR Block: You define a VPC with an IP address range using CIDR notation, such as
10.0.0.0/16
. - Subnets: A VPC is divided into subnets, which can be either public or private, and reside within one or more Availability Zones.
- Route Tables: Route tables control traffic flow within the VPC, directing packets to internet gateways, NAT gateways, or other subnets.
- Internet Gateway (IGW): Allows communication between instances in a VPC and the internet, enabling public access for instances in public subnets.
- NAT Gateway/Instance: Allows instances in private subnets to access the internet for outbound traffic while keeping them private from inbound internet traffic.
- Security Groups: Act as virtual firewalls to control inbound and outbound traffic for instances within the VPC.
- Network ACLs (NACLs): Provide an additional layer of security by controlling traffic to and from subnets with stateless filtering rules.
- VPC Peering: Enables two VPCs to communicate with each other using private IP addresses. Useful for sharing resources or connecting VPCs across different accounts or regions.
- VPC Endpoints: Allow private connections from your VPC to AWS services without using the public internet. This improves security and performance by keeping traffic within the AWS network.
Subnets
- Definition: Subnets are subdivisions of a VPC, providing a way to segment your VPC’s IP address range.
-
CIDR Block: Each subnet is defined with a specific CIDR block, such as
10.0.1.0/24
, which determines its IP address range. - Availability Zone (AZ): Each subnet resides entirely within one Availability Zone, ensuring high availability and fault tolerance.
-
Public vs. Private:
- Public Subnets: Subnets with a route to an Internet Gateway (IGW) allowing direct access to and from the internet.
- Private Subnets: Subnets without direct internet access, typically used for databases or backend services, with outbound internet access managed via NAT Gateway/Instance.
- Route Tables: Each subnet is associated with a route table that dictates the routing of traffic to and from the subnet, including routes to the IGW or other subnets.
- Network ACLs (NACLs): Apply rules to control inbound and outbound traffic at the subnet level, offering an additional layer of security.
- Subnet Association: Each subnet can be associated with one route table and one network ACL at a time.
- Security Groups: Applied to instances within the subnet to control inbound and outbound traffic at the instance level.
- Purpose: Subnets enable you to organize resources within your VPC for better security and management, segregating resources based on their access requirements and functionality.
Network ACLs (NACLs)
- Definition: Network ACLs (NACLs) are optional security layers that control inbound and outbound traffic at the subnet level.
- Stateless: NACLs are stateless, meaning they evaluate each request independently and do not remember previous traffic, so rules must be defined for both inbound and outbound traffic.
- Rule Evaluation: NACLs use numbered rules to determine whether to allow or deny traffic. Lower-numbered rules are evaluated before higher-numbered ones.
- Default NACL: Each VPC comes with a default NACL that allows all inbound and outbound traffic. It can be customized or replaced with custom NACLs.
- Custom NACLs: You can create custom NACLs to set specific traffic rules. Custom NACLs must have rules defined for both inbound and outbound traffic.
-
Rules:
- Inbound Rules: Control incoming traffic to the subnet from outside sources.
- Outbound Rules: Control outgoing traffic from the subnet to external destinations.
- Associations: NACLs are associated with subnets, and each subnet can only be associated with one NACL at a time.
- Default Deny: If no rule matches a request, the default action is to deny the traffic.
- Use Case: NACLs provide an additional layer of security by allowing you to enforce network boundaries and manage traffic flows at the subnet level.
Example: Configuring a Custom NACL in AWS
-
Create a New NACL:
- Sign in to the AWS Management Console.
- Navigate to VPC Dashboard.
- In the left pane, select Network ACLs.
- Click Create network ACL.
- Enter a Name and select the VPC where the NACL will be applied.
- Click Create network ACL.
-
Add Inbound Rules:
- Select the newly created NACL from the list.
- Go to the Inbound Rules tab.
- Click Edit inbound rules.
- Click Add rule to create a new rule.
-
Rule Number: Enter a rule number (e.g.,
100
). -
Type: Select the type of traffic (e.g.,
HTTP
). -
Protocol: Choose the protocol (e.g.,
TCP
). -
Port Range: Enter the port range (e.g.,
80
for HTTP). -
Source: Define the source IP address or CIDR block (e.g.,
0.0.0.0/0
for all IPs). -
Allow/Deny: Select
Allow
orDeny
.
-
Rule Number: Enter a rule number (e.g.,
- Click Save changes.
-
Add Outbound Rules:
- Go to the Outbound Rules tab.
- Click Edit outbound rules.
- Click Add rule to create a new rule.
-
Rule Number: Enter a rule number (e.g.,
100
). -
Type: Select the type of traffic (e.g.,
HTTP
). -
Protocol: Choose the protocol (e.g.,
TCP
). -
Port Range: Enter the port range (e.g.,
80
for HTTP). -
Destination: Define the destination IP address or CIDR block (e.g.,
0.0.0.0/0
for all IPs). -
Allow/Deny: Select
Allow
orDeny
.
-
Rule Number: Enter a rule number (e.g.,
- Click Save changes.
-
Associate the NACL with a Subnet:
- In the Network ACLs section, select the NACL.
- Click the Subnet associations tab.
- Click Edit subnet associations.
- Select the subnet(s) you want to associate with this NACL.
- Click Save changes.
Security Groups
- Definition: Security Groups are virtual firewalls that control inbound and outbound traffic for EC2 instances.
- Stateful: Security Groups are stateful, meaning if an inbound request is allowed, the response is automatically allowed regardless of outbound rules.
- Default Security Group: Each VPC comes with a default security group that allows all outbound traffic and denies all inbound traffic by default.
- Custom Security Groups: You can create custom security groups to define specific traffic rules based on your needs.
- Multiple Security Groups: An EC2 instance can be associated with multiple security groups. Rules from all associated security groups are aggregated to determine the allowed traffic.
-
Rules:
- Inbound Rules: Define what incoming traffic is allowed to reach the EC2 instances.
- Outbound Rules: Define what outgoing traffic is allowed from the EC2 instances.
- Associations: Security Groups are associated with EC2 instances or ENIs (Elastic Network Interfaces). Multiple instances or ENIs can share the same security group.
- Rules Evaluation: All rules are evaluated, and if any rule allows the traffic, it is permitted. There is no concept of “deny” in security groups; only “allow” rules are specified.
- Instance-level Security: Security Groups apply to instances at the network interface level and do not have a direct effect on the VPC, subnets, or other AWS resources.
Example: Configuring a Security Group in AWS
-
Create a New Security Group:
- Sign in to the AWS Management Console.
- Navigate to EC2 Dashboard.
- In the left pane, select Security Groups.
- Click Create security group.
- Enter a Name and Description for the security group.
- Select the VPC where the security group will be applied.
- Click Create security group.
-
Add Inbound Rules:
- Select the newly created security group from the list.
- Go to the Inbound rules tab.
- Click Edit inbound rules.
- Click Add rule to create a new rule.
-
Type: Choose the type of traffic (e.g.,
SSH
). -
Protocol: Automatically filled based on the type (e.g.,
TCP
for SSH). -
Port Range: Automatically filled based on the type (e.g.,
22
for SSH). -
Source: Define the source IP address or CIDR block (e.g.,
0.0.0.0/0
for all IPs,192.168.1.0/24
for a specific network).
-
Type: Choose the type of traffic (e.g.,
- Click Save rules.
-
Add Outbound Rules:
- Go to the Outbound rules tab.
- Click Edit outbound rules.
- Click Add rule to create a new rule.
-
Type: Choose the type of traffic (e.g.,
HTTP
). -
Protocol: Automatically filled based on the type (e.g.,
TCP
for HTTP). -
Port Range: Automatically filled based on the type (e.g.,
80
for HTTP). -
Destination: Define the destination IP address or CIDR block (e.g.,
0.0.0.0/0
for all IPs).
-
Type: Choose the type of traffic (e.g.,
- Click Save rules.
-
Associate the Security Group with an EC2 Instance:
- Navigate to Instances in the EC2 Dashboard.
- Select the instance you want to associate the security group with.
- Click Actions > Networking > Change Security Groups.
- Select the security group(s) you want to apply.
- Click Apply.
Posted on September 2, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.