How AI, OpenAI, and ChatGPT impact business and software.
Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
1. Networking and Security
Securing Your AWS Resources
with Amazon’s Virtual Private Cloud
Mark Ryland
Solutions Architect
AWS Public Sector team
2. Agenda
Review: EC2 standard networking
• Power and limits
EC2 networking with Virtual Private Cloud
• Key concepts
• New capabilities
• Common use cases
DirectConnect and VPC
3. EC2 Standard Networking
Distinct private/internal and public/external IPs
• True 1:1 NAT (no port translation)
• “Split-brained” DNS
Security groups control ingress
Elastic IPs: fixed public IPs
4. Internet
EC2 instances dynamically assigned private IP addresses
from the one large internal Amazon IP address range
10.134.2.3
10.1.2.3 10.218.5.17
10.27.45.16
10.243.3.5
10.8.55.5 10.141.9.8
10.99.42.97 10.155.6.7
10.131.7.28
10.6.78.201Zone 1a10.16.22.33
Availability Availability Zone 1b
Customer 1 Customer 2 Customer 3
5. 23.20.151.66 23.20.146.1 23.20.103.11 72.43.2.77 23.19.11.5 72.43.22.45
Internet 72.43.22.5
23.20.148.59 72.44.32.9 72.44.21.7 23.19.10.51 72.43.1.7
EC2 instances dynamically assigned public IP addresses
on border network from Amazon’s public IP address blocks
10.134.2.3
10.1.2.3 10.218.5.17
10.27.45.16
10.243.3.5
10.8.55.5 10.141.9.8
10.99.42.97 10.155.6.7
10.131.7.28
10.6.78.201Zone 1a10.16.22.33
Availability Availability Zone 1b
Customer 1 Customer 2 Customer 3
6. Value and Limits of Standard Networking
Security groups
• Ingress only
• Limited dynamism
• Different from subnet-based controls
• Mental model issue
No private networking, DMZs, or NAT/PAT
No consistent / “fixed” IP addrs for instances
7. Introducing AWS Virtual Private Cloud
User-defined virtual IP networking for EC2
Private or mixed private/public addressing and
ingress/egress
Re-use of proven and well-understood
networking concepts and technologies
8. VPC Capabilities in a Nutshell
User-defined address space up to /16
Up to 20* user-defined subnets up to /16
User-defined:
• Virtual routing, DHCP servers, and NAT instances
• Internet gateways, private, customer gateways, and VPN tunnels
Private IPs stable once assigned
Elastic Network Interfaces
9. Internet
VPC customers can launch instances in their own isolated network
10.134.2.3
10.1.2.3 10.218.5.17
10.27.45.16
10.243.3.5
10.8.55.5 10.141.9.8
10.99.42.97 10.155.6.7
10.131.7.28
10.6.78.201Zone 1a10.16.22.33
Availability Availability Zone 1b
Customer 1 Customer 2 Customer 3 VPC Customer
10. Internet
VPCcan assign your launch instances thetheir own isolated network
You customers can own IP range to in VPC network
10.0.1.5 10.0.1.6
10.0.0.5
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Availability Zone 1a Availability Zone 1b
VPC Customer
11. Internet
Instances can belong to different subnets.
VPC Subnet VPC Subnet
10.0.0.5 10.0.1.5 10.0.1.6
VPC Subnet
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Availability Zone 1a Availability Zone 1b
VPC Customer
12. Internet
Add access control lists to your subnets.
VPC Subnet VPC Subnet
10.0.0.5 10.0.1.5 10.0.1.6
VPC Subnet
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Availability Zone 1a Availability Zone 1b
VPC Customer
13. Internet
Add a Virtual Private Gateway to your VPC to make it an extension of your
datacenter. All traffic to and from the VPC traverses the VPN Connection.
VPC Subnet VPC Subnet
10.0.0.5 10.0.1.5 10.0.1.6
VPC Subnet
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Availability Zone 1a Virtual Private GatewayZone 1b
Availability
VPN Connection
Customer Gateway
Customer Data Center
14. Internet
Add an Internet Gateway to let instances talk directly to the Internet
Internet Gateway
VPC Subnet VPC Subnet
10.0.0.5 10.0.1.5 10.0.1.6
VPC Subnet
10.0.0.6 10.0.1.8
10.0.3.5
10.0.1.25
10.0.3.17
Availability Zone 1a Virtual Private GatewayZone 1a
Availability
VPN Connection
Customer Gateway
Customer Data Center
15. Enhanced Security Capabilities
Network topology, routing, and subnet ACLs
Security group enhancements
• Egress control; dynamic (re)assignment; richer
protocol support
Multiple network interfaces per instance
Completely private networking via VPN
Support for dedicated instances
16. Common Use Cases
Mixing public and private resources
• E.g., web-facing hosts with DMZ subnets, control plane subnets
Workloads that expect fixed IPs and/or multiple NICs
AWS cloud as private extension of on-premises network
• Accessible from on-premises hosts
• No change to addressing
• No change to Internet threat/risk posture
17. Rich Capabilities in VPC
ELB, AutoScaling, and CloudWatch
Relational Database Service (MySQL engine, for now)
Elastic MapReduce
CloudFormation
And many others, with more to come…
“Blackbox” services with public endpoints reachable via
Internet gateway (or VPN)
18. DirectConnect: Private X-Connect to AWS
Dedicated bandwidth to AWS border network in 1gbps or
10gbps chunks
Full access to public endpoints, EC2 standard, VPCs
• VLAN tagging maps to public side or VPCs
Benefits:
• Faster / more consistent throughput
• Increased isolation and control
Great companion technology to VPC
Websiteprecis: The AWS Virtual Private Cloud (VPC) is fast becoming the networking option of choice for enterprise and government customers because it provides a powerful set of virtual networking capabilities. VPC allows you to isolate, control, connect, and empower your systems at the network level. Did you know that, for example, that VPC allows you to attach a single EC2 instance to multiple private subnets? To create DMZs, control subnet routing, and enable totally private interconnects with your on-premises systems? To deploy dedicated, isolated, single tenant hardware for your virtual machines within the public cloud? Come learn about the extensive set of features specific to VPC that you should know about before your next cloud deployment.
Mention that there will be demos along the way.
Data egress charges are a measure of the packet flows across the public IP address at the network edge (i.e., gray lines in the slide), even if the packets return into EC2. Internal to internal traffic and internal to AWS service endpoints traffic is all free. [Will add more valid public IPs to the animation later]Example valid ranges:216.182.224.0/20 (216.182.224.0 - 216.182.239.255) 72.44.32.0/19 (72.44.32.0 - 72.44.63.255) 67.202.0.0/18 (67.202.0.0 - 67.202.63.255) 75.101.128.0/17 (75.101.128.0 - 75.101.255.255) 174.129.0.0/16 (174.129.0.0 - 174.129.255.255) 204.236.192.0/18 (204.236.192.0 - 204.236.255.255) 184.73.0.0/16 (184.73.0.0 – 184.73.255.255) NEW
“User-defined” is important because it can be a private OR a public address space. If public, must be routed to/from customer gateway / VPN tunnel.
Egress ControlYou control what the instances can talk toE.g.; Let the instance initiate communication with the yum repository, but don’t let it browse anywhere else.Network TopologyCreate subnets (public vs. privately accessible)Route traffic down VPN or out to the InternetNetwork Address TranslationPrivate subnet instances with no public IP can still establish connections to the Internet3rd party Appliance and applicationsLeverage software appliances and security applicationsMultiple InterfacesLaunch or configure instances with a second network interface