Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Network Security on AWS

Network Security on AWS


Michael Wittig

May 17, 2018


  1. Network Security on AWS

  2. Hello! I am Michael Wittig The author of Amazon Web

    Services in Action (Manning). Co-founder of widdix, an independent AWS consultancy. You can find me at: @hellomichibye https://cloudonaut.io
  3. Network Security on AWS

  4. VPC ▷ Virtual network ◦ Subnets ◦ Route tables ◦

    NACLs ▷ Network isolation ▷ Private address ranges ◦ ◦ ◦ ▷ Peering ◦ VPC to VPC ◦ VPN ◦ Direct Connect
  5. VPC Subnet 1 Subnet 2 Routing &

  6. Routing

  7. Subnets are routed Within a VPC, all subnets are routed,

    and you can’t change that!
  8. NACLs

  9. NACLs are Stateless You have to open the high ports

  10. VPC Public Subnet 2 Public Subnet 1

    Typical (minimal) VPC Private Subnet 1 Private Subnet 2
  11. VPC Subnet Security Groups & ENIs

  12. Security Group References SSH Bastion Host Load Balancer Backend

  13. Security Groups are Stateful The response traffic is always allowed.

    Both inbound and outbound.
  14. VPC Flow Logs Records network traffic in ~5 minutes chunks

    Not enabled by default Record Schema version account-id interface-id srcaddr dstaddr srcport dstport IANA protocol number (6 := TCP) packets bytes start in Unix seconds end in Unix seconds action status
  15. VPC Public Subnet B Public Subnet A

    Example Private Subnet A Private Subnet B VPC Public Subnet A Private Subnet A https://github.com/widdix/learn-network-security
  16. Thanks! You can find me at: @hellomichibye https://cloudonaut.io Special thanks

    to: ▷ Presentation template by SlidesCarnival ▷ Photographs by Pexels