Study Guides/AWS Cybersecurity Notes/VPC Security: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
No edit summary |
||
| Line 72: | Line 72: | ||
== Route tables | == Route tables == | ||
::* Allows the subnet to route traffic. | ::* Allows the subnet to route traffic. | ||
| Line 79: | Line 79: | ||
::* A subnet uses the default VPC route table if no route table is defined. | ::* A subnet uses the default VPC route table if no route table is defined. | ||
By default you get the local route: | |||
::* This allows the VPC to communcate with other VPC's | |||
::* Local cannot be deleted. | |||
::* You can modify local and add more routes as needed. | |||
== Flow logs == | |||
::* Flow logs capture network traffic for analysis. | |||
::: Think of it like a wireshark capture. | |||
::* Flow logs can also be configrued at the VPC level - capture all traffic on the VPC. | |||
::* In the UI a tab will only configrue flow logs for a particular subnet. | |||
Why capture flow logs: | |||
::* Security incident data. | |||
::* Communcation issue data. | |||
== CIDR Reservation and Sharing == | |||
::* Alows blocks of IP addresses to be reserved. | |||
::* Sharing allows the subnet to be shared with another account in your organization. | |||
== Tags == | |||
::* Help you orgnaize subnets. | |||
Revision as of 17:51, 13 June 2026
VPC Security
Important terms
- Subnets - Remember each subnet must stay within its AZ. No Multiple AZ's or regions.
- Security groups - Think of them as firewalls assigned to the EC2 instance.
- You can have up to 5 per instance
- These are stateful - they will remember.
- NACL - Network Access Control Lists
- Remember these are stateless - so you need to enable both directions.
- They are evaluated in order from low to high.
- A NACL with always be associated with a subnet.
- If no NACL is specified for a VPC the VPC will be assigned a default NACL.
- NAT - Forwards traffic from a private subnet ot the internet or other AWS service.
- These are not secure - never use in production.
- VPC Endpoint
- Allows a resounce to connect you AWS VPC or AWS services without the public internet.
- AWS Direct Connect
- A direct connection to AWS - no public internet.
- Elastic network interface - A virtual network card.
The NO NO IP addresses
Some IP's cannot be used.
- .0 - DUR!!
- .1 - The VPC router
- .2 - Rserved by AWS
- .3 - Reseved by AWS
- .255 - Don't think about it (broadcast address)
Basically the same as most modern networks, except AWS takes .2 and .3
Multiple VPCs
- Every region has a default VPC
- You can setup another VPC if needed.
- Remember the VPC is virtual - so setup is not a big deal.
- Their is a nominal additional cost for an another VPC.
Route tables
- Allows the subnet to route traffic.
- It is not security
- A subnet uses the default VPC route table if no route table is defined.
By default you get the local route:
- This allows the VPC to communcate with other VPC's
- Local cannot be deleted.
- You can modify local and add more routes as needed.
Flow logs
- Flow logs capture network traffic for analysis.
- Think of it like a wireshark capture.
- Flow logs can also be configrued at the VPC level - capture all traffic on the VPC.
- In the UI a tab will only configrue flow logs for a particular subnet.
Why capture flow logs:
- Security incident data.
- Communcation issue data.
CIDR Reservation and Sharing
- Alows blocks of IP addresses to be reserved.
- Sharing allows the subnet to be shared with another account in your organization.
Tags
- Help you orgnaize subnets.
