Network Security on AWS

Network Security on AWS

E8f66870d1204779ecc45f2695faa73e?s=128

Michael Wittig

May 17, 2018
Tweet

Transcript

  1. Network Security on AWS

  2. Hello! I am Michael Wittig The author of Amazon Web

    Services in Action (Manning). Co-founder of widdix, an independent AWS consultancy. You can find me at: @hellomichibye https://cloudonaut.io
  3. Network Security on AWS

  4. VPC ▷ Virtual network ◦ Subnets ◦ Route tables ◦

    NACLs ▷ Network isolation ▷ Private address ranges ◦ 10.0.0.0/8 ◦ 172.16.0.0/12 ◦ 192.168.0.0/16 ▷ Peering ◦ VPC to VPC ◦ VPN ◦ Direct Connect
  5. VPC 10.0.0.0/16 Subnet 1 10.0.0.0/24 Subnet 2 10.0.1.0/24 Routing &

    NACLs
  6. Routing

  7. Subnets are routed Within a VPC, all subnets are routed,

    and you can’t change that!
  8. NACLs

  9. NACLs are Stateless You have to open the high ports

    (1024-65535).
  10. VPC 10.0.0.0/16 Public Subnet 2 10.0.1.0/24 Public Subnet 1 10.0.0.0/24

    Typical (minimal) VPC Private Subnet 1 10.0.2.0/24 Private Subnet 2 10.0.3.0/24
  11. VPC Subnet Security Groups & ENIs

  12. Security Group References SSH Bastion Host Load Balancer Backend

  13. Security Groups are Stateful The response traffic is always allowed.

    Both inbound and outbound.
  14. VPC Flow Logs Records network traffic in ~5 minutes chunks

    Not enabled by default Record Schema version account-id interface-id srcaddr dstaddr srcport dstport IANA protocol number (6 := TCP) packets bytes start in Unix seconds end in Unix seconds action status
  15. VPC 10.0.0.0/16 Public Subnet B 10.0.32.0/20 Public Subnet A 10.0.0.0/20

    Example Private Subnet A 10.0.16.0/20 Private Subnet B 10.0.48.0/20 VPC 10.100.0.0/16 Public Subnet A 10.100.0.0/20 Private Subnet A 10.100.16.0/20 https://github.com/widdix/learn-network-security
  16. Thanks! You can find me at: @hellomichibye https://cloudonaut.io Special thanks

    to: ▷ Presentation template by SlidesCarnival ▷ Photographs by Pexels