In this video on AWS cloud security, Jeff Winesett discusses the use of VPNs for increased network security and access control of the network into which AWS resources are launched.
- [Instructor] Amazon Virtual Private Cloud, or simply VPC, enables AWS resources to be launched into a virtual network defined by you, the customer. This virtual network resembles a traditional network that might be created in a private data center, but with the benefits that come with the scalable infrastructure with an AWS. One way to understand the benefits of VPC is to compare it to its predecessor, EC2 Classic.
EC2 Classic is the original release of EC2 before VPC was introduced. When EC2 first launched instances would run in a single flat network that is shared with other AWS customers. Whenever an instance was launched it would automatically be associated with a public IP and private IP address. Furthermore, every single EC2 instance launched would be internet addressable. There is also no distinction between a private and public network interface with instances in EC2 Classic.
These are some of the reasons that EC2 Classic is considered less secure and any AWS account created after December 4th, 2013 no longer offers the EC2 Classic option. Enter Amazon VPC. With VPC instances run in virtual private cloud that is logically isolated to only one AWS account. The EC2 instances launched into a VPC are not automatically addressable via the public internet.
And with VPC both the public and private interfaces can be controlled. A private IP range is specified and then architected into a combination of public and or private subnets. Furthermore, with VPC both inbound and outbound traffic can be controlled. In a VPC multiple IP addresses, elastic IP address, and elastic interface networks can be assigned to the instances.
Also, if the use case arises existing IT infrastructure not hosted on AWS can be connected with a VPC network through an encrypted VPN connect. VPC offers a lot more flexibility and many more options than EC2 Classic. This, of course, comes at the cost of a bit of complexity in configuration. Setting up a VPC from scratch takes a little more work and planning. However, Amazon offers default VPCs available in each AWS region.
A default VPC is ready for use without having to perform any additional configuration steps. A default VPC combines the benefits of the advanced networking features provided by the EC2 VPC platform with the ease of use of the EC2 Classic platform. While the default VPC allows launching instances without needing to know anything about Amazon VPC there will likely come a time when setting up a non-default VPC is desired.
At a high level here are the steps taken when setting up a non-default VPC. The first choice to make is the AWS region into which the VPC should reside. Then a range of internal IP addresses is specified for use with the entire VPC network. These IP addresses are defined using the CIDR notation. Here a little planning is needed to ensure the range chosen is large enough for expected future growth.
After the IP block is chosen for the entire network subnets are created within a VPC. A sub network, or subnet is a range of IP addresses representing a subset of the IP range defined for the entire VPC. When a VPC is created in a region it spans all the availability zones in that region. However, subnets are confined within an individual availability zone and don't span between them. After subnets are set up gateway interfaces are attached to allow access to the network.
If a subnet's traffic is routed to an internet gateway the subnet is known as a public subnet. In this diagram Subnet 2 is a public subnet. If a subnet doesn't have a route through the internet gateway the subnet is known as a private subnet. In this diagram Subnet 1 is a private subnet. And as briefly mentioned earlier, a VPN gateway can be used to allow subnets to route to non-AWS hosted infrastructure over a secure VPN connection.
If a subset does not have a route through the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection the subnet is known as a VPN only subnet. In this diagram Subnet 3 is a VPN only subnet. Amazon VPC offers a wide range of tools that give AWS customers more control over their AWS infrastructure. Within a VPC administrators define their own network topology by defining subnets and routing tables and can restrict access at the subnet level with network access control lists and at the resource level with VPC security groups.
Resources can be isolated from the internet and connected to outside data centers through a VPN. Some instances can be connected to the public internet through an internet gateway, while others can remain in private subnets. Keeping things secure, Lesson number 4. Set up custom VPCs to better protect AWS resources and fully control the security and architecture of your network.
- Benefits of cloud services
- Making architectures scalable
- Examining cloud constraints
- Virtual servers, EC2, and Elastic IP
- Using the Amazon machine image
- Elastic load balancing
- Using CloudWatch for monitoring
- Security Models
- Elastic block storage
- S3, CloudFront, and Elastic Beanstalk
- Handling queues, workflows, and notifications
- Caching options and services
- Identity and access management
- Creating a custom server image
- Application deployment strategies
- Serverless architectures