In the first of this three-part series, we reviewed some of the security best practices recommended for AWS cloud. We discussed the AWS shared responsibility model to remind users the critical missing components when it comes to backing up their AWS workloads, and explored identity and access management which is crucial in establishing control over user roles. In this post, we will discuss Amazon Virtual Private Cloud (Amazon VPC) and how it brings many advantages to the table in terms of securing your data, complying with data governance legislation, establishing auditing protocols and general heightening your cloud security.
Whether you are already utilizing Amazon VPC or are currently migrating to the AWS ecosystem, read on to understand more about best practices for VPC design decisions including the structure of Subnet, flow logs, network access control list (ACL) and Security Groups.
What is Amazon VPC?
Amazon VPC enables customers to provision their resources in a logically segregated section of AWS cloud. This section is completely isolated from those of other customers and enables users to select their own IP address ranges, subnets, and gateways. With Amazon VPC, AWS cloud can be used to securely expand on-premises resources. It also disables internet access to database and application servers while enabling access to web servers. This is possible due to the multilayer security options provided by AWS, including security groups, subnets, VPN connections, and network access control lists.
AWS began with Amazon VPC EC2-Classic, which had a single flat network and was shared among customers. Later, AWS replaced this version with default and customizable options in order to isolate the network and enhance security.
Amazon VPC’s key components include:
A subnet is a group of IP addresses. While Amazon VPC covers all the availability zones in a specific region, subnets are restricted to a single availability zone. Subnets are public when their traffic is routed via an internet gateway and private when the internet gateway is not attached.
In order to enable internet access to a subnet, the route table of the subnet should have an entry that diverts internet traffic to the internet gateway. Each instance in the subnet is assigned a unique private and public IP address. When traffic flows out of the internet gateway, the public IP address is used for communication. Conversely, when traffic flows into the VPC, the public IP address is translated to the private one, which remains hidden from the external world. This is called IP masquerading.
Communication between an on-premises data center and Amazon VPC can be established using IPSec over the internet, AWS Direct Connect, or AWS PrivateLink.
With IPSec over the internet, VPN connections are configured over the internet to establish communication between the data center and AWS cloud. If you don’t want to create connections over the internet, you can use AWS Direct Connect or AWS PrivateLink to establish a connection between your on-premises resources and Amazon VPC. Because traffic never leaves the AWS network, AWS PrivateLink does not require a VPN connection, NAT instances, or a direct link.
How Amazon VPC Enhances Cloud Security
Amazon VPC can enhance cloud security using features such as:
Security groups act as the firewall for Amazon VPC resources and are assigned at the instance level. If you want to restrict traffic to and from an Amazon EC2 instance, create a security group. A default security group will be assigned if you do not choose one explicitly. There can be a maximum of five security groups assigned to one instance.
Network Access Control Lists
A network access control list (ACL) is an optional line of defense for your VPC and is configured at subnet level. Default ACLs allow all inbound and outbound traffic, both IPv4 and IPv6, through your subnet.
Flow logs help monitor and troubleshoot Amazon VPC’s network interfaces and subnets. You can enable flow logs for an interface or subnet that you want to monitor and access the flow logs via Amazon CloudWatch. While there are no additional charges for using the flow logs, CloudWatch charges will apply.
Amazon VPC is the backbone of AWS cloud security, providing multiple ways to establish a secure communication with corporate data centers, such as through VPN connections and direct and private links. With the help of security groups and access control lists, inbound and outbound traffic can be further restricted to provide complete end-to-end network security.
Want to know what other responsible world-leading organizations like Harvard, Yale, and NASA are using to secure their clouds?
Then try Cloud Protection Manager for free
Cloud Protection Manager (CPM) is a native cloud backup, recovery, and disaster recovery solution for Amazon EC2 instances, EBS volumes, RDS databases and Redshift Clusters. Our easy-to-use automation tool utilizes AWS EBS and RDS snapshots, directly connecting to users’ AWS infrastructure to perform automated backups. To learn more about CPM and how to give your team the ability to back up data as often as needed and recover it far more quickly, try our 30-day free trial. (No credit card needed, and it takes mere minutes to configure).