I'm new to AWS, and I have an instance on EC2 that I would like to restrict to just the IPs in my home network. What is the difference between the subnets and security groups that are associated with a VPC? From my understanding, it is the security group that does the IP address permissions but I'm not too sure what the subnet accomplishes.
Also, how does the network ACL play into this?
https://i.stack.imgur.com/4KYWT.png
Do I specify the allowed IP addresses in source?
EDIT: VPN information
After thinking about it, instead of whitelisting certain external IP addresses, I wanted to make the EC2 instance only accessible when connected with a VPN. So even computers on my home network wouldn't be able to access unless using a VPN. Would this require me to set up a OpenVPN server on EC2 that would access a private subnet?
Also, the EC2 instance would require accessing the internet, would that mean it is under a public subnet instead?
Thanks!
Best Answer
First Question - Security
Security groups are a firewall that runs on the instance hypervisor. Network ACLs are a firewall that runs on the network. You can use either, or both. In theory a NACL reduces host load, but it's likely negligable.
Security groups are stateful, so return traffic is automatically allowed. NACLs require firewall rules for each direction to be specified, including ephemeral ports. Security groups are therefore easier to use.
In your case I suggest you add a security group rule that allows access from your /32 IP for every protocol you require. The IP goes into the rightmost column.
Second Question - VPN
OpenVPN doesn't change the IP address of anything, it can be thought of as a gateway. Your computer connects to the EC2 instance, when then has any access that the EC2 instance has. If we know what you were trying to achieve with a VPN we may be able to give better advice.
Given your updated requirements, I would probably use an EC2 server in a public subnet as a VPN terminator and NAT instance, and a private instance EC2 in a private subnet. Your NACLs and security groups would be set up to allow outgoing internet access via the NAT but deny incoming connections other than from the VPN instance.
I'm not sure if a single instance can be VPN terminator and NAT. I suspect it can.