VPC Basics

Virtual Private Cloud (VPC)

• allows you to create a virtual network for resources in isolated section of AWS Cloud
• User can define network configuration such as IP address range, route tables and network gateways
• Subnet/s can also be created inside a VPC
• Build a virtual network in AWS Cloud w/o having to worry about physical connectivity
• Capability to configure network-based control or NACL
VPC Basics
VPC Design
• VPCs are created and exist in one AWS Region.
• VPC is essentially moving the network traffic around your region
• Maximum Routing Table is 200
• Address Range creation is mandatory

VPC IP address range

• Every VPC has a private IP address space (by default)
• The CIDR block size can be from /16 to /28
• Primary CIDR black cannot be modified when created
• Subnet/s create are based on CIDR
VPC Basics
VPC Configuration
• From AWS Console Home, select/search VPC
• From the main pane, click Create VPC
• Choose VPC only (VPC and more)
• Assign Name tag – LabVPC
• Assign new IPv4 CIDR – 10.0.0.0/16
• Click Create VPC
VPC Basics
Subnet Configuration
• From the left pane, click Subnets (VPC page)
• From the upper right, click Create subnet
• Select VPC ID (VPC tag)
• Assign Subnet Name – WebSubnet
• Assign subnet Availability Zone
• Assign subnet CIDR – 10.0.10.0/24
AWS NACL
Network Access Control List (NACL)
• Manage and control traffic at the subnet level.
• Allow or disallow network traffic based on policy
• Stateless, inbound and outbound must be configured
• TOP-DOWN process
• Created in a VPC and Associated on subnet/s (no NACL by default)
• NACL has explicit deny all
AWS NACL
NACL Restrictions
• Amazon Domain Name Services (DNS)
• Amazon Dynamic Host Configuration Protocol (DHCP)
• Amazon EC2 instance metadata
• Amazon ECS task metadata endpoints
• License activation for Windows instances
• Amazon Time Sync Service
• Reserved IP addresses used by the default VPC router
AWS NACL
Configuration
• From AWS Console Home, select/search VPC
• From the left pane, under Security, click Network ACLs
• Click Create network ACL on the top right
• Assign Name, Select VPC
• Select newly created NACL
• Click Edit Inbound rules, add rules
• Click Outbound rules table, Edit Outbound rules, add rules
AWS NACL
NACL Rules
• Rule number – 100, 101
• Type – SSH, HTTPS, Custom
• Protocol – TCP, UDP
• Port range – 22, 443, 1300
• Source – IP address range or Specific Host IP
• Destination - IP address range or Specific Host IP
• Allow/Deny
AWS NACL
NACL Association
• On the same NACL page,
• Click Subnet Associations tab, next to Outbound rules
• Select Subnet name/s (click check box)
• Click Save changes
AWS Security Groups
Security Groups (SG)
• Manage and control traffic from an EC2 instance level.
• Default SG is automatically created and associated to EC2.
• Source and Designation can be either IP based or SG names
• Associated on specific EC2
• TOP-DOWN process. Allow traffic only.
• SG has no rules by default
AWS Security Groups
SG Rules
• are always permissive; you can't create rules that deny access
• enable you to filter traffic based on protocols and port numbers (Same w/ NACL)
• Security groups are stateful
• You can add and remove rules at any time and automatically applied to the instances
• Effect of some rule changes can depend on how the traffic is tracked.
• Multiple SGs can be associated instance and Rules from each SGs are effectively aggregated
AWS Security Groups
Configuration
• From AWS Console Home, select/search EC2
• From the left pane, under Network & Security, click Security Groups
• Click Create security group on the top right
• Assign Security group name, and Description
• Select VPC
• Under Inbound rules, click Add rule
AWS Security Groups
SG Rules
• Type – SSH, HTTPS, Custom TCP
• Protocol – TCP, UDP
• Port range – 22, 443, 1300
• For Inbound Rules, Source – IP address range, Specific Host IP or SG Name
• For Outbound Rules, Destination – IP address range, Specific Host IP or SG Name
AWS Security Groups
SG Association
• From EC2 page, click Instances under Instances
• Select the Instance/s you want to associate the new Security group by clicking the check box
• Click Actions from the upper right and under Security, select Change security groups
• Select the security group from the input field and click Add security group
• Finally, click Save
AWS WAF
Network Firewalls / NACL / SG
• Can protect some attacks but not designed on application level
• Rule based – not so intelligent
• Hackers can bypass Firewalls

Web Application Firewall (WAF)

• Application Specific Protection
• Rule based, Signature based and many more
• Hacker hates WAF protection
• Provides web traffic visibility w/ controls and metrics
• Application Inspection will be processed prior forward to EC2
AWS WAF
Requirements
• AWS Resources – EC2, VPCs etc
• Elastic Load Balancer (ELB), Cloudfront, API Gateway is created and working
• Skills and knowledge w/ Web Application Security
• WAF Rules and Conditions (Web ACL)
• Third-party WAF (Optionally)
AWS WAF
Configuration
• From AWS Console Home, select/search WAF
• From the main pane, click Create web ACL
• Assign Name, add description (optional)
• Add Cloud Watch metric
• Select Resource type – Amazon CloudFront or Regional Resources (App Load Balancer)
• Associate resources such Application Load Balancer (can do this later)
• Select Region – US East, Asica Pacific (Singapore) and click Next
• Add Rules (can do this later)
• Default web ACL action – Allow or Block
• Click Next, click Next, click Next
• Review configuration and click Create web ACL
AWS WAF
Web ACL Association
• From AWS Console Home, select/search WAF
• From the left pane, under AWS WAF, click WEB ACLs
• Edit the newly created Web ACLs
• Click Associated AWS resources tab
• Select Application Load Balancer
• Click Save

Complexity
• WAF and/or Web Application Security is complicated
• Dedicated course
Network Security Best Practices
AWS Network Security
• Create AWS Network Security Audit Report
• Can be portion of the entire AWS/Cloud Security Report
• VPC, SG, NACL and WAF
• WAF can have a dedicated part.
• Regular review and update
Network Security Best Practices
Virtual Private Cloud (VPC)
• Do not use the default VPC. Create a new one
• CIDR – appropriate CIDR Block size and avoid overlap other VPCs or On-prem
• Create subnets per application – Web Subnet, Database Subnet, ALB Subnet
• Limit the subnet set to Public – Web Subnet or ALB Subnet
• Select 2 or more Availability Zones when creating subnets for better availability
Network Security Best Practices
Security Groups (SG)
• Don’t use the default. Create a new w/ proper naming
• Allow only necessary inbound traffic
• Avoid Using 0.0.0.0/0 or Any
• Only allow HTTPS inbound traffic for public facing applications
• Create Multiple SGs – Web-SGs, ALB-SGs, DB-SGs
• Avoid using IP ranges, instead use SG names in rules
• Enable VPC Flows (will discuss later)
Network Security Best Practices
Network Access Control List (NACL)
• Don’t use the default. Create a new w/ proper naming
• Allow only necessary inbound and outbound rules
• Avoid Using 0.0.0.0/0 or Any
• Only allow HTTPS inbound traffic for public facing applications
• Separate NACLs
• Do not implement NACL if SGs are not yet in placed.
• NACL – additional layer of Security. Use for Traffic Shaping and Prioritization
Network Security Best Practices
AWS WAF
• Enable Application Load Balancer for Scalability and Protection (only the public facing not EC2)
• Enable WAF, for Application Level Protection and apply Web ACLs
• Learn Application Security - Manage Web ACLs and Rule Groups
• Monitor False Positives and Regular Testing and tuning
• More on AWS WAF in a separate course

Add Ons
• AWS Shield of Application DDoS Protection
• AWS Network Firewall for IDS/IPS
• Both can be managed via AWS Firewall Manager