VPC Security

Important terms

• Subnets - Remember each subnet must stay within its AZ. No Multiple AZ's or regions.

• Security groups - Think of them as firewalls assigned to the EC2 instance.

You can have up to 5 per instance

These are stateful - they will remember.

• NACL - Network Access Control Lists

Remember these are stateless - so you need to enable both directions.

They are evaluated in order from low to high.

A NACL with always be associated with a subnet.

If no NACL is specified for a VPC the VPC will be assigned a default NACL.

• NAT - Forwards traffic from a private subnet ot the internet or other AWS service.

These are not secure - never use in production.

• VPC Endpoint

Allows a resounce to connect you AWS VPC or AWS services without the public internet.

• AWS Direct Connect

A direct connection to AWS - no public internet.

• Elastic network interface - A virtual network card.

The NO NO IP addresses

Some IP's cannot be used.

• .0 - DUR!!

• .1 - The VPC router

• .2 - Rserved by AWS

• .3 - Reseved by AWS

• .255 - Don't think about it (broadcast address)

Basically the same as most modern networks, except AWS takes .2 and .3

Multiple VPCs

• Every region has a default VPC

• You can setup another VPC if needed.

Remember the VPC is virtual - so setup is not a big deal.

Their is a nominal additional cost for an another VPC.

Route tables

• Allows the subnet to route traffic.

• It is not security

• A subnet uses the default VPC route table if no route table is defined.

By default you get the local route:

• This allows the VPC to communcate with other VPC's

• Local cannot be deleted.

• You can add more routes if needed.

Route terms

• Destination: The CDIR block where the traffic needs to go.

• Target: The gateway that allows the traffic to reach the destination.

• Status: Status of route.

• Propagated: Used when the VPG (Virtual Private Gateway) can automatically propagate rotes.

With this you do not need to enter VPN routs manually.

Flow logs

• Flow logs capture network traffic for analysis.

Think of it like a wireshark capture.

• Flow logs can also be configrued at the VPC level - capture all traffic on the VPC.

• In the UI a tab will only configrue flow logs for a particular subnet.

Why capture flow logs:

• Security incident data.

• Communcation issue data.

CIDR Reservation and Sharing

• Alows blocks of IP addresses to be reserved.

• Sharing allows the subnet to be shared with another account in your organization.

Tags

• Help you orgnaize subnets.

NACL Notes

• They are stateless - don't care about connection state.

So.. you need to pair rules inbout and outbound otherwise - connection problems (it won't warn you!).

• Think of them as an additional layer of deffense.

They work at the subnet level protecting each subnet.

They DON'T work at the machine level - that is security groups.

• Evalaution occurs in the order of definition.

They allow traffic to be permitted or denied based on:

• IP Addresses (Source / Destination)

• Port numbers

• Protocols

NACL is vial for diffense in depth.

Should not be your only defense in prod - use security groups and ALB's also.

A NACL must be associated with a subnet Good exam question if it is not associated it will not work as designed.

Security Group Notes

Not the same as a NACL!

• Operate at the instance level.

Think of it as a host firewall

They are statefull.

Security groups are Fail closed they don't have a deny option.

• If you don't expeciltly allow something it is denied.

Public and Private Subnets