AWS VPC Networking, Security, Monitoring, layers and depth

10th May 2023

Building a secure, layered, dependable network in AWS is not that simple. Avoiding single points of failure is necessary. Working with the right network SME is a pre-requisite to deploy applications on AWS. There are many services and layers one can use and build. The use cases will determine the extent of the services deployed and the related complexity.

Example networking architecture from AWS documents

VPC

VPC or Virtual Private Cloud, in AWS, is a critical component of the AWS cloud infrastructure, offering a scalable and secure environment for deploying applications and services. AWS network and application protection services give you fine-grained protections at the host-, network-, and application-level boundaries, and provide equally flexible solutions that inspect and filter traffic to prevent unauthorized resource access.

AWS Virtual Private Cloud (VPC)

VPC enables you to launch AWS resources such as EC2, RDS, ELB, etc. into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Security Groups

Security group controls the traffic that is allowed to reach and leave the resources that it is associated with. SGs act as virtual firewalls for individual instances, controlling inbound and outbound traffic. Use security groups to control traffic to/from EC2/RDS, instances in your subnets.

Network Access Control List (NACL)

Network ACL allows or denies specific inbound or outbound traffic at the subnet level. NACL acts as a firewall for subnets, controlling traffic flow in and out based on a set of rules. Use NACLs as an additional layer of security to your VPC.

Use NACLs to define broad traffic rules that you want to apply to every instance within a subnet, and then fine-tune the internet accessibility of specific instances by applying security groups.
Difference between Security Groups and Network Access Control List (NACL)

VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Use Flow Logs to monitor the IP traffic going to and from a VPC, subnet, or network interface. Flow log data can be published to CloudWatch Logs or S3.

Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency.

Flow logs can help you with:

  • Verify success or failure of the data flow.
  • Verify protocols and ports used to send the data.
  • Diagnosing overly restrictive security group rules.
  • Monitoring the traffic that is reaching your instance.
  • Determining the direction of the traffic to and from the network interfaces.

VPC Flow Logs Overview

Network Access Analyzer

Network Access Analyzer is a feature that identifies unintended network access to your resources in AWS VPC. Use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements.

Network Access Analyzer can help you verify:

  • Understand, verify, and improve your network security posture
  • Demonstrate compliance
  • Network segmentation
  • Internet accessibility
  • Trusted network paths
  • Trusted network access

Traffic Mirroring

Traffic Mirroring is a VPC feature that you can use to copy network traffic from an elastic network interface of type interface. Use Traffic Mirroring to copy network traffic from an elastic network interface of an EC2 instance, then send the traffic to out-of-band security and monitoring appliances for:

  • Content inspection
  • Threat monitoring
  • Troubleshooting

The security and monitoring appliances can be deployed as individual instances or as a fleet of instances behind either a Network Load Balancer with a UDP listener or a Gateway Load Balancer with a UDP listener.

Traffic Mirroring supports filters and packet truncation, so that you only extract the traffic of interest to monitor by using monitoring tools of your choice.

AWS PrivateLink

AWS PrivateLink establishes private connectivity between VPC and supported AWS services, services hosted by other AWS accounts, and supported AWS Marketplace services. You do not need to use an internet gateway, NAT device, Direct Connect connection, or AWS Site-to-Site VPN connection to communicate with the service.

To use AWS PrivateLink, create a VPC endpoint in your VPC, specifying the name of the service and a subnet. This creates an elastic network interface in the subnet that serves as an entry point for traffic destined to the service.

You can create your own VPC endpoint service, powered by AWS PrivateLink and enable other AWS customers to access your service.

VPC Endpoints Overview

AWS Network Firewall

AWS Network Firewall is stateful, managed, network firewall and intrusion detection and prevention service for your VPC. You can filter network traffic at the perimeter of your VPC using Network Firewall. Use Network Firewall to protect the subnets in your VPC from common network threats.

At the network-level, Network Firewall allows you to tightly control traffic to, from, and between your VPCs with capabilities such as stateful inspection, intrusion prevention, and web filtering.

Network Firewall can help you monitor and protect your VPC traffic in a number of ways, including the following:

  • Perform deep packet inspection on traffic entering or leaving your VPC (including Internet gateway, NAT gateway, or over VPN or AWS Direct Connect).
  • Use custom lists of known bad domains to limit the types of domain names that your applications can access.
  • Use stateful protocol detection to filter protocols like HTTPS, independent of the port used.
  • Pass traffic through only from known AWS service domains or IP address endpoints, such as Amazon S3.

AWS Firewall Manager

AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations.

Network Firewall is supported by AWS Firewall Manager. Use Firewall Manager to centrally configure and manage your firewalls across your accounts and applications in AWS Organizations. You can manage firewalls for multiple accounts using a single account in Firewall Manager. AWS Firewall Manager also supports DNS Firewall.

AWS Web Application Firewall (WAF)

AWS WAF is a managed web application firewall service that helps you protect your web applications at the application layer from common web exploits that could affect application availability, compromise security, and/or consume excessive resources.

Use WAF to filter any part of the web request, such as IP addresses, HTTP headers, HTTP body, or URI strings to block common attack patterns, such as SQL injection or cross-site scripting.

WAF (Web Application Firewall) Overview

AWS Shield

AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. It provides dynamic detection and automatic inline mitigations that minimize application downtime and latency.

Use AWS Shield to protect applications and APIs from SYN floods, UDP floods, or other reflection attacks. It helps you maximize application availability and responsiveness.

There are two tiers of AWS Shield: Standard and Advanced. AWS Shield Advanced is a tailored protection program that identifies threats using exabyte-scale detection to aggregate data across AWS.

Amazon Route 53 Resolver DNS Firewall

Route 53 Resolver DNS Firewall provides protection for outbound DNS requests from your VPCs. Primary use of DNS Firewall protections is to help prevent DNS exfiltration of your data.

With DNS Firewall, you can filter, regulate, and control outbound DNS traffic for your VPCs. You can monitor and control the domains that your applications can query. You can specify lists of domain names to allow or block, and you can customize the responses for the DNS queries that you block. i.e. You can deny access to the domains that you know to be bad and allow all other queries to pass through. Alternatively, you can deny access to all domains except for the ones that you explicitly trust.

Summary

Amazon VPC is a powerful service that provides a secure and scalable environment for deploying applications in the cloud. You can minimize the risk of security breaches and protect your critical resources using VPC security features and other security services.

Guest Source