Network Security on AWS

Transcript

1. Network Security on AWS

2. Hello! I am Michael Wittig The author of Amazon Web

   Services in Action (Manning). Co-founder of widdix, an independent AWS consultancy. You can find me at: @hellomichibye https://cloudonaut.io

3. Network Security on AWS

4. VPC ▷ Virtual network ◦ Subnets ◦ Route tables ◦

   NACLs ▷ Network isolation ▷ Private address ranges ◦ 10.0.0.0/8 ◦ 172.16.0.0/12 ◦ 192.168.0.0/16 ▷ Peering ◦ VPC to VPC ◦ VPN ◦ Direct Connect

5. VPC 10.0.0.0/16 Subnet 1 10.0.0.0/24 Subnet 2 10.0.1.0/24 Routing &

   NACLs

6. Routing

7. Subnets are routed Within a VPC, all subnets are routed,

   and you can’t change that!

8. NACLs

9. NACLs are Stateless You have to open the high ports

   (1024-65535).

10. VPC 10.0.0.0/16 Public Subnet 2 10.0.1.0/24 Public Subnet 1 10.0.0.0/24

    Typical (minimal) VPC Private Subnet 1 10.0.2.0/24 Private Subnet 2 10.0.3.0/24

11. VPC Subnet Security Groups & ENIs

12. Security Group References SSH Bastion Host Load Balancer Backend

13. Security Groups are Stateful The response traffic is always allowed.

    Both inbound and outbound.

14. VPC Flow Logs Records network traffic in ~5 minutes chunks

    Not enabled by default Record Schema version account-id interface-id srcaddr dstaddr srcport dstport IANA protocol number (6 := TCP) packets bytes start in Unix seconds end in Unix seconds action status

15. VPC 10.0.0.0/16 Public Subnet B 10.0.32.0/20 Public Subnet A 10.0.0.0/20

    Example Private Subnet A 10.0.16.0/20 Private Subnet B 10.0.48.0/20 VPC 10.100.0.0/16 Public Subnet A 10.100.0.0/20 Private Subnet A 10.100.16.0/20 https://github.com/widdix/learn-network-security

16. Thanks! You can find me at: @hellomichibye https://cloudonaut.io Special thanks

    to: ▷ Presentation template by SlidesCarnival ▷ Photographs by Pexels