Study Guides/AWS Cybersecurity Notes/VPC Security

From Cramsession
< Study Guides‎ | AWS Cybersecurity Notes
Revision as of 20:55, 13 June 2026 by Mflavell (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

VPC Security

Important terms

  • Subnets - Remember each subnet must stay within its AZ. No Multiple AZ's or regions.


  • Security groups - Think of them as firewalls assigned to the EC2 instance.
You can have up to 5 per instance
These are stateful - they will remember.


  • NACL - Network Access Control Lists
Remember these are stateless - so you need to enable both directions.
They are evaluated in order from low to high.
A NACL with always be associated with a subnet.
If no NACL is specified for a VPC the VPC will be assigned a default NACL.


  • NAT - Forwards traffic from a private subnet ot the internet or other AWS service.
These are not secure - never use in production.


  • VPC Endpoint
Allows a resounce to connect you AWS VPC or AWS services without the public internet.


  • AWS Direct Connect
A direct connection to AWS - no public internet.


  • Elastic network interface - A virtual network card.

The NO NO IP addresses

Some IP's cannot be used.

  • .0 - DUR!!
  • .1 - The VPC router
  • .2 - Rserved by AWS
  • .3 - Reseved by AWS
  • .255 - Don't think about it (broadcast address)


Basically the same as most modern networks, except AWS takes .2 and .3


Multiple VPCs

  • Every region has a default VPC
  • You can setup another VPC if needed.
Remember the VPC is virtual - so setup is not a big deal.
Their is a nominal additional cost for an another VPC.


Route tables

  • Allows the subnet to route traffic.
  • It is not security
  • A subnet uses the default VPC route table if no route table is defined.


By default you get the local route:

  • This allows the VPC to communcate with other VPC's
  • Local cannot be deleted.
  • You can add more routes if needed.


Route terms

  • Destination: The CDIR block where the traffic needs to go.
  • Target: The gateway that allows the traffic to reach the destination.
  • Status: Status of route.
  • Propagated: Used when the VPG (Virtual Private Gateway) can automatically propagate rotes.
With this you do not need to enter VPN routs manually.

Flow logs

  • Flow logs capture network traffic for analysis.
Think of it like a wireshark capture.


  • Flow logs can also be configrued at the VPC level - capture all traffic on the VPC.
  • In the UI a tab will only configrue flow logs for a particular subnet.


Why capture flow logs:

  • Security incident data.
  • Communcation issue data.


CIDR Reservation and Sharing

  • Alows blocks of IP addresses to be reserved.
  • Sharing allows the subnet to be shared with another account in your organization.


Tags

  • Help you orgnaize subnets.


NACL Notes

  • They are stateless - don't care about connection state.
So.. you need to pair rules inbout and outbound otherwise - connection problems (it won't warn you!).


  • Think of them as an additional layer of deffense.
They work at the subnet level protecting each subnet.
They DON'T work at the machine level - that is security groups.


  • Evalaution occurs in the order of definition.


They allow traffic to be permitted or denied based on:

  • IP Addresses (Source / Destination)
  • Port numbers
  • Protocols


NACL is vial for diffense in depth.

Should not be your only defense in prod - use security groups and ALB's also.


A NACL must be associated with a subnet Good exam question if it is not associated it will not work as designed.


Security Group Notes

Not the same as a NACL!

  • Operate at the instance level.
Think of it as a host firewall
They are statefull.


Security groups are Fail closed they don't have a deny option.

  • If you don't expeciltly allow something it is denied.


Public and Private Subnets

Subnets devide your network into logical segments.

The subnet mask acts as the devider between the netowrk and host portion of the address.


Subnets improve security by breaking the network up.

A single homogionous network is a bad idea!
This gives you better control over resources - you have a NACL between the subnets.


AWS has two types of subnet:

  • Public: Can access from the internet
  • Private: No internet access.
Use the private subnet for things that should not be directly accessable from the internet, for example databases.


What's the difference?

  • A subnet is pubic if the IGW is attached to the VPC (data in)
  • A route exists in the subnet with a default route to the IGW target (data out).


When to use a public subnet:

  • Bastion hosts - So you can connect in
  • Public data storage.
  • Public Websits and apps.


Bastion hosts

  • These are essential to access EC2 instances on the private subnet.
  • It's a hardened EC2 instance with a connection to both subnets.


How you use them:

SSH to the bastion from the public internet
Copy the pem file for the destination
From the bastion SSH to the protection EC2 on the private subnet.
When done delete the pem file


Harden the bastion host:

  • Only allow the essential ports.
  • restrict access to a range of IP addresses (if possible).


Think about the .pem file.

Don't store the file on the bastion host if you do this security is pointless.


Internet access from the Private subnet

A NAT gateway allows internet requests from a private subnet.

It works like a basic home router
Allows outbound traffic but does not permit inbound requests.
Ideal when machines on the private subnet need to download updates.
The NAT gateway will block traffic the host did not intiate (it is stateful).


Because the gateway is managed by AWS it is more scaleable that providing your own NAT server.


Networking VPC's Together

VPC Peering

Connect two VPC's with a direct private connection.
Traffic can flow like they are the same network.
Can be in the same region, or different regions.
Can connect different accounts.


This is a private connection that dosen't leave the AWS network.

Supports IPv4 and v6 with the same security features security groups and NACL's


Peering Limitations

The CIDR blocks cannot overlap - Plan this one!!
You can only have one VPC peering connection between two VPC's
Internet traffic does not travel down the peer.
VPC2 with cannot route internet traffic to VPC1 with the IGW - VPC2 will need its own.
This is also true for gateway endpoints. VPC2 cannot access the S3 endpoint of VPC1.
You can not reference a peer VPC in a security group.
You can however reference the IP range of the peer VPC.

Transit Gateway

Connects multiple VPC's based on a hub and spoke model.
Makes routing more simple.
Is independent of the region.
All VPC's must be in the same account.


Think of Transit Gateway as a cloud router that works on a regional basis.

This can centalize Direct connect and VPN
It can scale to support 5,000 attachments
Can segment traffic based on route tables.
This can ensure speficic segments cannot communcate with each other.

VPN Connections

Secure connection between the VPC and a private network.
Uses public internet.
Best for linking VPC to on prem.


Using VPN connections

Several steps are involved:


  • Setup a VPG - this is a local representation of the VPC enabling the connection.
  • Configue CGW - This is the customer gateway.
  • Create a VPN connection - Between the VPN - VPC - CGW (Everytihng is stacked)
  • Configure routing - Configure VPC to allow traffic to flow through the VPN tunnel.

AWS Direct connect

Dedicated private connection to the VPC.
For the on-prem to AWS link.
More reliable than a VPN (fewer moving parts).
High bandwith low latency.


What is Direct Connect

A direct connection to an AWS data center using dedicated fiber.
Manged using a partner data center.

AWS VPN Cloud Hub

This allows you to secure muitiple locations with AWS VPC.

Uses a VPG - Virtual private gateway.

None of the sites can have overlapping IP addresses.


The connection is made using a CGW (Customer Gateway) at each endpoint

CloudHub managed all this.


Think of this as a fixed VPN to AWS.


VPC Endpoints

These remove the neeed for the VPC to communcate over the internet when accessing an AWS native service.

This approach increases security and reduces latency.


Only two endpoints are available:

  • Interface endpoints - ENI's that connect to AWS services over PrivateLink
  • GateWay endpoints - run by Gateway Load Balancer, allowging connections to:
S3 and Dynamo DB
Retrieved from "https://cramsession.net/index.php?title=Study_Guides/AWS_Cybersecurity_Notes/VPC_Security&oldid=1717"