← Back to Labs
Advanced01:00:00

AWS VPC NACL Lab - Case study

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8Task 9Task 10Task 11Task 12Task 13Task 14Task 15
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page, Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  3. On the AWS sign-in page,
  4. Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  5. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  6. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
Task 2

Task 2: Creating a New VPC

↑ Top
  1. Navigate to VPC by clicking on the Services button on the top of the AWS Console.
  2. Click on VPC (under Networking & Content Delivery section) or you can also search for VPC.
  3. Click on Your VPCs from the left menu.
  4. Here you can see the list of all VPC. No need to do anything yet. We will create a new VPC for this lab.
  5. Click on Create VPC. Name tag: Enter MyVPC IPv4 CIDR block: Enter 10.0.0.0/16 IPv6 CIDR block: No need to change this, make sure No IPv6 CIDR Block is checked. Tenancy: No need to change this, just be sure Default is selected. Click on Create VPC.
  6. Click on Create VPC.
  7. Name tag: Enter MyVPC
  8. IPv4 CIDR block: Enter 10.0.0.0/16
  9. IPv6 CIDR block: No need to change this, make sure No IPv6 CIDR Block is checked.
  10. Tenancy: No need to change this, just be sure Default is selected.
  11. Click on Create VPC.
  12. Once the VPC is created, it will look like the example below:
  13. Task 2: Creating a New VPC
Task 3

Task 3: Creating Subnets

↑ Top
  1. Note: In this lab, we will create one public subnet and a private subnet in us-east-1a and us-east-1b Availability Zones.
  2. For the Public Subnet, click on Subnets from the left menu and click on Create subnet. VPC ID : Select MyVPC from the list. Subnet Name : Enter MyPublicSubnet Availability Zone : Select us-east-1a IPv4 CIDR block : Enter the range 10.0.1.0/24 Click on Create Subnet
  3. For the Public Subnet, click on Subnets from the left menu and click on Create subnet.
  4. VPC ID : Select MyVPC from the list.
  5. Subnet Name : Enter MyPublicSubnet
  6. Availability Zone : Select us-east-1a
  7. IPv4 CIDR block : Enter the range 10.0.1.0/24
  8. Click on Create Subnet
  9. Task 3: Creating Subnets
  10. For Private Subnet, click on Create Subnet again. VPC ID : Select MyVPC from the list. Subnet Name : Enter MyPrivateSubnet Availability Zone : Select us-east-1b IPv4 CIDR block : Enter the range 10.0.2.0/24 Click on Create subnet.
  11. For Private Subnet, click on Create Subnet again.
  12. VPC ID : Select MyVPC from the list.
  13. Subnet Name : Enter MyPrivateSubnet
  14. Availability Zone : Select us-east-1b
  15. IPv4 CIDR block : Enter the range 10.0.2.0/24
  16. Click on Create subnet.
  17. Task 3: Creating Subnets
Task 4

Task 4: Create and attach an Internet Gateway

↑ Top
  1. Note: By default, instances that are launched in a VPC cannot communicate with the Internet.
  2. To enable Internet access, an Internet gateway needed to be attached to the VPC.
  3. Click on Internet Gateways from the left menu and click Create Internet Gateway. Name Tag : Enter MyInternetGateway Click on Create Internet Gateway.
  4. Click on Internet Gateways from the left menu and click Create Internet Gateway.
  5. Name Tag : Enter MyInternetGateway
  6. Click on Create Internet Gateway.
  7. Select the Internet gateway you created from the list. Click on Actions. Click on Attach to VPC. Select MyVPC and click on Attach to VPC.
  8. Select the Internet gateway you created from the list.
  9. Click on Actions.
  10. Click on Attach to VPC.
  11. Select MyVPC and click on Attach to VPC.
  12. Task 4: Create and attach an Internet Gateway
Task 5

Task 5: Create Route Tables and Associate them it with Subnets

↑ Top
  1. Go to Route Tables from the left menu and click on Create route table. Name Tag: Enter PublicRouteTable. VPC: Select MyVPC from the list. Click on Create route table.
  2. Go to Route Tables from the left menu and click on Create route table.
  3. Name Tag: Enter PublicRouteTable.
  4. VPC: Select MyVPC from the list.
  5. Click on Create route table.
  6. We will be using the default (main) Route Table created by VPC for the RDS database tier.
  7. Task 5: Create Route Tables and Associate them it with Subnets
  8. You will be able to see the Route table with VPC ID MyVPC and Main as Yes
  9. Select the Route Table and rename it.
  10. Name Tag: Enter PrivateRouteTable and [Enter]
  11. Task 5: Create Route Tables and Associate them it with Subnets
  12. Now associate the subnets to the route tables.
  13. Click on PublicRouteTable and go to the Action and in that go to Edit Subnet Associations tab. Click on Edit Subnet Associations. Select MyPublicSubnet from the list. Click on Save Associations
  14. Click on PublicRouteTable and go to the Action and in that go to Edit Subnet Associations tab.
  15. Click on Edit Subnet Associations.
  16. Select MyPublicSubnet from the list.
  17. Click on Save Associations
  18. Click on PrivateRouteTable and go to the Action and in that go to Edit Subnet Associations tab. Click on Edit Subnet Associations. Select MyPrivateSubnet from the list. Click on Save Associations
  19. Click on PrivateRouteTable and go to the Action and in that go to Edit Subnet Associations tab.
  20. Click on Edit Subnet Associations.
  21. Select MyPrivateSubnet from the list.
  22. Click on Save Associations
Task 6

Task 6: Update Route Table and Configure the Internet Gateway

↑ Top
  1. PublicRouteTable : Add a route to allow Internet traffic to the VPC.
  2. Select PublicRouteTable.
  3. Go to the Routes tab click on Edit routes. On the next page, click on Add route.
  4. Specify the following values: Destination: Enter 0.0.0.0/0 Target: Select Internet Gateway from the dropdown menu to select MyInternetGateway. Click on Save changes.
  5. Specify the following values:
  6. Destination: Enter 0.0.0.0/0
  7. Target: Select Internet Gateway from the dropdown menu to select MyInternetGateway.
  8. Task 6: Update Route Table and Configure the Internet Gateway
  9. Click on Save changes.
Task 7

Task 7: Enabling Auto-Assign Public IP for Public Subnets

↑ Top
  1. Note: This setting will allow you to automatically assign public IP for all the EC2 instances launched in the public subnet
  2. Click on Subnets from the left menu on VPC.
  3. Select MyPublicSubnet from the Subnet list
  4. Click on Actions and then select Edit subnet settings
  5. Check the Enable Auto-assign IPv4 address check box
  6. Check the Enable resource name DNS A record on launch check box
  7. Now click on Save
Task 8

Task 8: Launching an EC2 Instance in the Public Subnet

↑ Top
  1. Navigate to EC2 by clicking on the Services menu in the top, then click on EC2 in the Compute section.
  2. Navigate to Instances from the left side menu and click on Launch Instance.
  3. Enter name as MyPublicEC2Server
  4. Choose an Amazon Machine Image (AMI): Select Amazon Linux 2023 AMI.
  5. Choose architecture as 64-bit(x86)
  6. Task 8: Launching an EC2 Instance in the Public Subnet
  7. Choose an Instance Type: Select t2.micro.
  8. Task 8: Launching an EC2 Instance in the Public Subnet
  9. For Key pair: Select Create a new key pair Button
  10. Key pair name: WhizKey
  11. Key pair type: RSA
  12. Private key file format: .pem
  13. Select Create key pair Button.
  14. Task 8: Launching an EC2 Instance in the Public Subnet
  15. In Network Settings Click on Edit Button:
  16. VPC : MyVPC
  17. Subnet : Choose MyPublicSubnet
  18. Auto-assign public IP: Enable
  19. Select Create new Security group
  20. Security group name : Enter MyWebserverSG
  21. Description : Enter My EC2 Security Group
  22. Check Allow SSH from and Select Anywhere from dropdown Choose Type: SSH Source: Anywhere
  23. Check Allow SSH from and Select Anywhere from dropdown
  24. Choose Type: SSH
  25. Source: Anywhere
  26. For HTTP, Select Add Security rule Button Choose Type: HTTP Source: Select Anywhere
  27. Choose Type: HTTP
  28. Source: Select Anywhere
  29. Under the Advanced Details, scroll down to the User data section, enter the following script to create an HTML page served by Apache:
  30. Keep Rest thing Default and Click on Launch Instance Button.
  31. Select View all Instances to View Instance you Created
  32. Launch Status: Your instance is now launching, Click on the instance ID and wait for complete initialization of the instance till status changes to Running.
Task 9

Task 9: Launching an EC2 Instance in the Private Subnet

↑ Top
  1. Click on Launch Instances again at the top right of the EC2 dashboard.
  2. Enter name as MyPrivateEC2Server
  3. Choose an Amazon Machine Image (AMI): Select Amazon Linux 2023 AMI.
  4. Choose architecture as 64-bit(x86)
  5. Task 9: Launching an EC2 Instance in the Private Subnet
  6. Choose an Instance Type: Select t2.micro.
  7. Task 9: Launching an EC2 Instance in the Private Subnet
  8. For Key pair: Select the existing key pair.
  9. In Network Settings Click on Edit Button:
  10. VPC : MyVPC
  11. Subnet : Choose MyPrivateSubnet
  12. Auto-assign public IP: Disable
  13. Select Create new Security group
  14. Security group name : Enter MyServerSG
  15. Description : Enter My EC2 Security Group
  16. Check Allow SSH from and Select Anywhere from dropdown Choose Type: SSH Source: Select Anywhere
  17. Check Allow SSH from and Select Anywhere from dropdown
  18. Choose Type: SSH
  19. Source: Select Anywhere
  20. For ALL ICMP IPv4 , Select Add Security rule Button Choose Type: All ICMP IPv4. Source: Select Anywhere
  21. For ALL ICMP IPv4 , Select Add Security rule Button
  22. Choose Type: All ICMP IPv4.
  23. Source: Select Anywhere
  24. Keep Rest thing Default and Click on Launch Instance Button.
  25. Select View all Instances to View Instance you Created
  26. Note the Private IP Address of MyPrivateEC2Server.
  27. Two servers are launched and ready.
  28. Task 9: Launching an EC2 Instance in the Private Subnet
Task 10

Task 10: Testing Both EC2 instances

↑ Top
  1. Public EC2 instances: We have installed a web application on this server. Select the MyPublicEC2Server EC2 instance from the instance list. From the Description tab, copy the IPv4 Public IP. Now paste this IP in you Web Browser and click [Enter] You will be able to see the following page:
  2. Public EC2 instances: We have installed a web application on this server.
  3. Select the MyPublicEC2Server EC2 instance from the instance list.
  4. From the Description tab, copy the IPv4 Public IP.
  5. Now paste this IP in you Web Browser and click [Enter]
  6. You will be able to see the following page:
  7. Next, we will try to ping the Private EC2 from the Public EC2 instance. SSH into EC2 Instance Please follow the steps in SSH into EC2 Instance. Once connected to the server: Change to root user:
  8. Next, we will try to ping the Private EC2 from the Public EC2 instance.
  9. SSH into EC2 Instance Please follow the steps in SSH into EC2 Instance.
  10. SSH into EC2 Instance
  11. Please follow the steps in SSH into EC2 Instance.
  12. Once connected to the server: Change to root user:
  13. Once connected to the server:
  14. Change to root user:
  15. Copy the Private IP of MyPrivateEC2Server from the Description tab.
  16. Ping the Private Instance using the Private IPv4. ping <Private IP address>
  17. Example: ping 10.0.2.161
  18. Task 10: Testing Both EC2 instances
  19. Press [Ctrl] + C to stop instead of pause.
  20. Note: You were able to do these tasks because the Default NACL that was created during VPC creation allows both INBOUND and OUTBOUND by Default.
Task 11

Task 11: Creating Custom NACL and Associate it to the Subnet

↑ Top
  1. Note: By default, both subnets will be associated with the Default NACL of MyVPC. Once you create a custom NACL and attach it to the public subnet and private Subnet.
  2. Navigate to VPC under the Services menu. Click on Network ACLs under Security
  3. Click on Create Network ACL
  4. Create Network ACL: Name tag: Enter MyPublicNACL VPC: Select MyVPC from the dropdown list. Click on Create.
  5. Create Network ACL:
  6. Name tag: Enter MyPublicNACL
  7. VPC: Select MyVPC from the dropdown list.
  8. Click on Create.
  9. Associating MyPublicNACL to the Public Subnet Select the Action tab and click on Edit subnet associations Select both the Public and Private subnets from the table. Click on Save changes
  10. Associating MyPublicNACL to the Public Subnet
  11. Select the Action tab and click on Edit subnet associations
  12. Select both the Public and Private subnets from the table.
  13. Click on Save changes
  14. Renaming the Main NACL Select the Default NACL of the VPC MyVPC Enter the name MyPrivateNACL and click on Save
  15. Renaming the Main NACL
  16. Select the Default NACL of the VPC MyVPC
  17. Enter the name MyPrivateNACL and click on Save
Task 12

Task 12: Testing the Public and Private Server

↑ Top
  1. Public EC2 Instance: Navigate to the EC2 Instance Dashboard. Click on Instances from the left side menu. Select the MyPublicEC2Server EC2 instance from the instance list.
  2. Public EC2 Instance:
  3. Navigate to the EC2 Instance Dashboard. Click on Instances from the left side menu.
  4. Select the MyPublicEC2Server EC2 instance from the instance list.
  5. Task 12: Testing the Public and Private Server
  6. From the Description tab, copy the IPv4 Public IP.
  7. Now paste this IP into your web browser and click [Enter]
  8. You will see the following page:
  9. Note: This is because the Custom NACL which is attached to your Public subnet restricts both INBOUND and OUTBOUND traffic.
  10. Private EC2 Instance: Since the Public NACL restricts all traffic, you won't be able to SSH into the public EC2 Instance to ping the Private Instance. Next, we are going to solve this.
  11. Private EC2 Instance:
  12. Since the Public NACL restricts all traffic, you won't be able to SSH into the public EC2 Instance to ping the Private Instance.
  13. Next, we are going to solve this.
Task 13

Task 13: Adding Rules to Custom NACL (MyPublicNACL)

↑ Top
  1. Navigate to VPC under the Services menu. Click on Network ACLs under Security.
  2. Select MyPublicNACL from the list.
  3. In the Inbound rules, click Edit inbound rules
  4. Add the following rules: HTTP click on Add rules, Rule# : Enter 100 Type: Choose HTTP (80) Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow For ALL ICMP- IPv4, click on Add rules, Rule# : Enter 150 Type: Choose ALL ICMP - IPv4 Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow For SSH, click on Add rules, Rule# : Enter 200 Type: Choose SSH (22) Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow Click on Save changes
  5. Add the following rules:
  6. HTTP click on Add rules, Rule# : Enter 100 Type: Choose HTTP (80) Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow
  7. HTTP click on Add rules,
  8. Rule# : Enter 100
  9. Type: Choose HTTP (80)
  10. Source: Enter 0.0.0.0/0
  11. Allow / Deny: Select Allow
  12. For ALL ICMP- IPv4, click on Add rules, Rule# : Enter 150 Type: Choose ALL ICMP - IPv4 Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow
  13. For ALL ICMP- IPv4, click on Add rules,
  14. Rule# : Enter 150
  15. Type: Choose ALL ICMP - IPv4
  16. Source: Enter 0.0.0.0/0
  17. Allow / Deny: Select Allow
  18. For SSH, click on Add rules, Rule# : Enter 200 Type: Choose SSH (22) Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow Click on Save changes
  19. For SSH, click on Add rules,
  20. Rule# : Enter 200
  21. Type: Choose SSH (22)
  22. Source: Enter 0.0.0.0/0
  23. Allow / Deny: Select Allow
  24. Click on Save changes
  25. In the Outbound rules Tab, Click Edit outbound rules
  26. Add the following rules: Custom Port is already available, Rule# : Enter 100 Type: Choose Custom TCP Rule Port Range: Enter 1024 - 65535 Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow For ALL ICMP- IPv4, click on Add rules, Rule# : Enter 150 Type: Choose ALL ICMP - IPv4 Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow For SSH, click on Add rules , Rule# : Enter 200 Type: Choose SSH (22) Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow Click on Save
  27. Add the following rules:
  28. Custom Port is already available, Rule# : Enter 100 Type: Choose Custom TCP Rule Port Range: Enter 1024 - 65535 Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow
  29. Custom Port is already available,
  30. Rule# : Enter 100
  31. Type: Choose Custom TCP Rule
  32. Port Range: Enter 1024 - 65535
  33. Source: Enter 0.0.0.0/0
  34. Allow / Deny: Select Allow
  35. For ALL ICMP- IPv4, click on Add rules, Rule# : Enter 150 Type: Choose ALL ICMP - IPv4 Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow
  36. For ALL ICMP- IPv4, click on Add rules,
  37. Rule# : Enter 150
  38. Type: Choose ALL ICMP - IPv4
  39. Source: Enter 0.0.0.0/0
  40. Allow / Deny: Select Allow
  41. For SSH, click on Add rules , Rule# : Enter 200 Type: Choose SSH (22) Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow
  42. For SSH, click on Add rules ,
  43. Rule# : Enter 200
  44. Type: Choose SSH (22)
  45. Source: Enter 0.0.0.0/0
  46. Allow / Deny: Select Allow
  47. Click on Save
Task 14

Task 14: Testing Both EC2 instances

↑ Top
  1. We will try to ping the Private EC2 from the Public EC2 instance. SSH into EC2 Instance Please follow the steps in SSH into EC2 Instance. Once connected to the server: Change to root user:sudo su Copy the Private IP of MyPrivateEC2Server from the Description tab. Ping to the Private Instance using the Private IPv4. ping <Private IP address> Example:
  2. We will try to ping the Private EC2 from the Public EC2 instance.
  3. SSH into EC2 Instance Please follow the steps in SSH into EC2 Instance.
  4. SSH into EC2 Instance
  5. Please follow the steps in SSH into EC2 Instance.
  6. Once connected to the server: Change to root user:sudo su
  7. Once connected to the server:
  8. Change to root user:sudo su
  9. Change to root user:
  10. Copy the Private IP of MyPrivateEC2Server from the Description tab.
  11. Task 14: Testing Both EC2 instances
  12. Ping to the Private Instance using the Private IPv4. ping <Private IP address> Example:
  13. Ping to the Private Instance using the Private IPv4. ping <Private IP address>
  14. Example:
  15. Task 14: Testing Both EC2 instances
  16. Press [Ctrl] + C again to cancel the process instead of pausing it.
  17. Note: You were able to do these tasks because we added NACL Rules.
  18. By participating in the AWS VPC NACL Lab, users acquire a range of practical skills and knowledge, including the ability to create NACLs, define rule sets for specific subnets, evaluate traffic patterns, implement allow and deny rules, and analyze the impact of NACL configurations on network communication. Additionally, participants gain insight into optimizing NACL configurations for different use cases, securing sensitive workloads, and mitigating potential security risks within their AWS VPCs.
Task 15

Task 15: Validation Test

↑ Top
  1. Once the lab steps are completed, please click on the Validation button on the Right side panel.
  2. This will validate the resources in the AWS account and shows you whether you have completed this lab successfully or not.
  3. Sample output :
  4. Task 15: Validation Test
  5. You have created a VPC using the VPC Wizard.
  6. You have created an Internet Gateway.
  7. You have created a private and public subnet for the VPC.
  8. You have created and associated Route tables.
  9. You have added routes to the Route table
  10. You have launched some EC2 instances into the Public and Private subnets.
  11. You have created a Custom NACL.
  12. You have associated the NACL with the subnets.
  13. You added inbound and outbound rules to the custom NACL.
  14. You have tested our VPC.
  15. Sign out of AWS Account.
  16. You have successfully completed the lab.
  17. Once you have completed the steps, click on End Lab from the lab console.
← Back to Labs