WAN to LAN access patterns

When the primary source of legitimate connections to our application is the internet, the same will be true for any malicious packets. Any time an application is internet facing, it will need to be protected with as many mechanisms as possible.

Initially, we will need to determine what type of traffic is being sent between the internet and the local network to determine how to secure our application. We should also be aware of the underlying IP protocols in regard to both secure the IPv4 and IPv6 protocols with the same mechanisms.

After analyzing the traffic, we should focus on minimizing the footprint of the attack. This means that we should disable any unnecessary access and limit the incoming traffic only to the legitimate sources. For example, when using an ELB, we should always build a security group that only allows access to the ELB IP instead of both the ELB and the instances it load balances traffic to. The instances should only be accessible from the ELB itself. It is easy to implement this with security groups, as we will see later in this chapter.