Network Security on AWS 

Hello! I am Michael Wittig The author of Amazon Web Services in Action (Manning). Co-founder of widdix, an independent AWS consultancy. You can find me at: @hellomichibye https://cloudonaut.io 

Network Security on AWS 

VPC ▷ Virtual network ○ Subnets ○ Route tables ○ NACLs ▷ Network isolation ▷ Private address ranges ○ 10.0.0.0/8 ○ 172.16.0.0/12 ○ 192.168.0.0/16 ▷ Peering ○ VPC to VPC ○ VPN ○ Direct Connect 

VPC 10.0.0.0/16 Subnet 1 10.0.0.0/24 Subnet 2 10.0.1.0/24 Routing & NACLs 

Routing 

Subnets are routed Within a VPC, all subnets are routed, and you can’t change that! 

NACLs 

NACLs are Stateless You have to open the high ports (1024-65535). 

VPC 10.0.0.0/16 Public Subnet 2 10.0.1.0/24 Public Subnet 1 10.0.0.0/24 Typical (minimal) VPC Private Subnet 1 10.0.2.0/24 Private Subnet 2 10.0.3.0/24 

VPC Subnet Security Groups & ENIs 

Security Group References SSH Bastion Host Load Balancer Backend 

Security Groups are Stateful The response traffic is always allowed. Both inbound and outbound. 

VPC Flow Logs Records network traffic in ~5 minutes chunks Not enabled by default Record Schema version account-id interface-id srcaddr dstaddr srcport dstport IANA protocol number (6 := TCP) packets bytes start in Unix seconds end in Unix seconds action status 

VPC 10.0.0.0/16 Public Subnet B 10.0.32.0/20 Public Subnet A 10.0.0.0/20 Example Private Subnet A 10.0.16.0/20 Private Subnet B 10.0.48.0/20 VPC 10.100.0.0/16 Public Subnet A 10.100.0.0/20 Private Subnet A 10.100.16.0/20 https://github.com/widdix/learn-network-security 

Thanks! You can find me at: @hellomichibye https://cloudonaut.io Special thanks to: ▷ Presentation template by SlidesCarnival ▷ Photographs by Pexels