Layer 3

The next layer of security would be on layer 3, which should secure all IP communication. Layer 3 spans all our subnets and all of the internet. Essentially, when we talk about layer 3 protection, we are talking about stateless firewalls. These work in a way that allows everyone to connect from the get-go and then once bad actors on the network are detected, the IP addresses or ranges of these actors are blocked. Layer 3 firewalling can also help with specific network isolation requirements that need to be implemented due to compliance reasons. For example, we would only want a certain IP address range to communicate with another specific IP address range.

This can be simply implemented with layer 3 stateless rules. Stateless firewalls also seamlessly operate without any performance or latency impact on the packet flows. The Network Access Control Lists (NACLs) in the VPC take the form of stateless layer 3 firewalls. Layer 3 firewalls are great at stopping the volumetric attacks from the internet once the source has been identified by stopping the attacker at the perimeter of the network. Layer 3 firewalls can also stop some network layer attacks but not all, as the traffic source and destination sometimes isn't enough to identify whether the traffic is legitimate or not.