AWS Enterprise grade Networking & security| what are your options to protect your big data?

VPC features

• Static private IP address
• Elastic Network Interfaces :  possible to bind multiple Elastic Network Interfaces to a single instance
• Internal Elastic Load Balancers
• Advanced Network Access Control
• Setup a secure bastion host
• DHCP options
• Predictable internal IP ranges
• Moving NICs and internal IPs between instances
• VPN connectivity
• Heightened security etc

VPC examples

• Public facing VPC
• Public and Private setup VPC
• VPC with Public and Private Subnets and Hardware VPN Access
• VPC with Private Subnets and Hardware VPN Access
• Software based VPN access.

VPN options at AWS

• Hardware based (virtual private Gateway)
  • Public and private subnets
  • Private subnet only
• Software Based:  
  • AWS does not provide or maintain software VPN appliances; however, you can choose from a range of products provided by partners and open source communities.
  • Requires an instance
• Cloudhub (many site to site connections )
• DirectConnect , private network connection (DC to DC).
• Notice you could have redundant tunnels 🙂
• You can use BGP for dynamic routing.

Options to upload securely FROM VPC to Outside

1. VPC endpoint (NAT, and ACL rules)
   • You can define Routing. E.g from VPC to s3.
2. VPC peering
   • to connect to VPC groups. Even on different accounts.
3. NAT gateways,
   • to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instance
4. Internet Gateways
   • An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.

Secured connection from WWW to VPC

1. Bastion host: server in the middle
   • Simple, straight forward IP+port to easily pass a FW from a DC
   • Non HA.
   • Increased latency, 2 hops architecture… 🙁
2. Proxy server (socks)
   • Will be good for any future usage such as Streaming.
   • need to maintain a proxy cluster
3. VPN tunnel
   • Need to maintain private LAN IP’s on both end points
   • Slower in upload
4. Endpoints

 

VPC private subnet + Virtual Private Gateway

• Virtual Private Gateway. Simple VPN connector from AWS side.
• Customer Gateway: simple VPN connection from client side. (physical or software)
• customer gateway must initiate the tunnels
• If your VPN connection experiences a period of idle time (usually 10 seconds, depending on your configuration), the tunnel may go down
• To prevent this, you can use a network monitoring tool to generate keepalive pings; for example, by using IP SLA
• Start here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
• https://docs.openvpn.net/how-to-tutorialsguides/administration/extending-vpn-connectivity-to-amazon-aws-vpc-using-aws-vpc-vpn-gateway-service/

VPC peering

1.       Apparently VPC peering is available only for connecting between VPCs in the same region (it can be cross accounts but has to be in the same region):

http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html

2.       For connecting VPCs in different regions there are several architectural options you can read about it in the following blog:

https://aws.amazon.com/answers/networking/aws-multiple-region-multi-vpc-connectivity/

Great Read | How to Define VPC with private and public subnet

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

This blog , if you go through it step by step and implement it – you will know aws networking inside out!

 

VPC best practices

• Get your Amazon VPC combination right: Select the right Amazon VPC architecture first.  You need to decide the right Amazon VPC & VPN setup combination based on your current and future requirements
• Choose your CIDR Blocks: Amazon VPC can have contain from 16 to 65536 IP addresses
• Isolate according to your Use case:
  • Create separate Amazon VPC for Development , Staging and Production environment
  • Create one Amazon VPC with Separate Subnets/Security/isolated NW groups for Production
• Securing Amazon VPC :
  • Secure your Amazon VPC using Firewall virtual appliance,
  • You can configure Intrusion Prevention or Intrusion Detection virtual appliances and secure the protocols and take preventive/corrective actions in your VPC
• Configure VM encryption tools which encrypts your root and additional EBS volumes.
• Configure Privileged Identity access management solutions
• Enable the cloud trail to audit in the VPC environments  ACL policy’s.
• Apply anti virus for cleansing specific EC2 instances inside VPC.
• Configure Site to Site VPN for securely transferring information between Amazon VPC in different regions or between Amazon VPC to your On premise Data center
• Follow the Security Groups and NW ACL’s best practices listed below

• Always span your Amazon VPC across multiple subnets in Multiple Availability zones inside a Region.
• Good security practice is that to have only public subnet with route table which carries route to internet gateway. Apply this wherever applicable.
• Keep your Data closer

 

• Allow and Deny Network ACL
  • First network ACL: Allow all the HTTP and HTTPS outbound traffic on public internet facing subnet.
  • Second network ACL: Deny all the HTTP/HTTPS traffic. Allow all the traffic to Squid proxy serve

 

• Restricting Network ACL : Block all the inbound and outbound ports. Only allow application request ports.

 

• • Create route tables only when needed and use the Associations option to map subnets to the route table in your Amazon VPC
  • Use Amazon VPC Peering

 

• Security group – least privileges by design.

 

Technical Notes to pay attention on AWS VPC networking | Summery

• Public subnet
  • Must have access to to WWW
  • Must have auto assign public IP
  • Has a private IP as well 🙂
• Route table per subnet (private/public)
• Dont forget to associate subnet to routing table.
• Security Group→ instance level→ for white list → cross AZ → statefull – both directions in one rule
• Network ACL → subnet level → blacklist → not cross AZ→ stateless , one definition per one direction
• NAT gateway must be defined in the public subnet — > needs access to WWW.
• Dont forget to add AZ’s.
• Dont forget to Add S3 Endpoint

Summery

• there many good options to protect your data, simply knowing VPC features is not enough, you have to know your big data components as well.
• designing a network is non trivial, consult someone before your start , very hard to change something once your are deep inside the process.
• have you data in mind, security and access management when you design your network and security.

 

Need to learn more about aws big data (demystified)?

• Contact me via linked in Omid Vahdaty
• website: https://amazon-aws-big-data-demystified.ninja/
• Join our meetup, FB group and youtube channel
  • Join our meetup : https://www.meetup.com/AWS-Big-Data-Demystified/
  • Join our facebook group https://www.facebook.com/groups/amazon.aws.big.data.demystified/
  • subscribe to our youtube channel https://www.youtube.com/channel/UCzeGqhZIWU-hIDczWa8GtgQ?view_as=subscriber

——————————————————————————————————————————

I put a lot of thoughts into these blogs, so I could share the information in a clear and useful way. If you have any comments, thoughts, questions, or you need someone to consult with, feel free to contact me:

https://www.linkedin.com/in/omid-vahdaty/