Obfuscating AWS Resources (BP1, BP4, BP5) - AWS Best Practices for DDoS Resiliency

Obfuscating AWS Resources (BP1, BP4, BP5)

Typically, users can quickly and easily use an application without requiring that AWS resources be fully exposed to the internet. For example, when you have Amazon EC2 instances behind an ELB, the instances themselves might not need to be publicly accessible. Instead, you could provide users with access to the ELB on certain TCP ports and allow only the ELB to communicate with the instances. You can set this up by configuring Security Groups and Network Access Control Lists (NACLs) within your Amazon Virtual Private Cloud (VPC). Amazon VPC allows you to provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.

Security groups and NACLs are similar in that they allow you to control access to AWS resources within your VPC. But security groups allow you to control inbound and outbound traffic at the instance level, while NACLs offer similar capabilities at the VPC subnet level. There is no additional charge for using security groups or NACLs.