Amazon VPC Constructs

VPC Construct Banner

Amazon Virtual Private Cloud

  • Amazon Virtual Private Cloud (VPC) is a virtual network that resembles a traditional network that you would operate in your own Data Centre, with the benefits of using the scalable infrastructure of AWS.
  • Although it ‘resembles’ does not mean it is identical. Amazon VPC is a software defined network which provides familiar constructs that implements controls and rules in the EC2 hypervisor for network traffic.
  • It enables network, workload or environmental isolation for application deployment, management and operations.

VPC Constructs

VPC Subnets

  • VPC Subnets are a segmented construct based on IP address CIDR block.
  • They act as security boundary in conjunction with Network ACLs (NACLs) and route tables.
  • Subnets cannot span Multi-AZ, as each AZ must contain a discreet subnet.
  • They do not support ARP or other broadcast limitations as VPC subnets do not allow promiscuous traffic.
  • It is possible to put thousands of nodes in a subnet without any problems as there it utilises no switch CAM tables.
    • CAM table, or content addressable memory table, is present in all Cisco Catalysts for layer 2 switching. It is used to record a stations mac address and it’s corresponding switch port location.
  • Its recommended to not over-use subnets, instead leverage the range of other control mechanisms, e.g. fewer subnets provides more address space available to handle dynamic workloads.
  • Reasons to create subnets include:
    • Distribution across Multi-AZs.
    • Traffic needs to route outside of the VPC differently e.g. Public v Private.
    • Additional security control is required, e.g. NACLs for specific workload/environment.

VPC Route Tables

  • Implicit rules on a route table allows routing to all other subnets within that VPC.
    • An implicit rule cannot be removed, use NACLs to deny traffic leaving or entering a subnet.
  • Route targets are based on CIDR blocks outside of the VPC, e.g. (anywhere),
  • Routes are via a VPC Gateway or ENI, e.g. igw-xxxxx, vgw-xxxxx, pcx-xxxxx, eni-xxxxx
  • Hosts in private subnets that require Internet access should route via a NAT Gateway or a NAT instance ENI.
  • Local host routes can override VPC route table, where the target IP is in the same subnet, if you disable Source/Destination checking for the EC2 instance.
  • Hosts that don’t have a route of a VPC via a Gateway or ENI are isolated in the VPC.
  • Route tables have a one-to-many relationship.  A single route table can be associated with multiple subnets but a subnet can only use a single route table.
  • There are no central checkpoints caused by a router; route tables are a virtual construct within the hypervisor.

VPC Gateways

  • A virtual construct, gateways do not have any choke points or single points of failure.
  • There are four gateway types:
    • Virtual Gateway (VGW) – access Internal networks via VPC or Direct Connect.
    • Internet Gateway (IGW) – access Internet.
    • VPC Peering (PCX) – access other VPCs, including cross-account.
    • NAT Gateway (NGW) – outbound Internet for Private instances.
  • Moveable between VPCs, e.g. VGW can be detached and attached to another VPC in the same region and account.
  • Not a security control point, they allow traffic to leave and enter VPCs; security controls should leverage other mechanisms.
  • VGW supports propagated of on-premises routes into multiple VPC route tables.
  • Routing between multiple peered VPCs is not permitted, peering only allows traffic to pass between defined VPCs.

Network ACLs (NACLs)

  • Stateless firewalls protecting subnets.
  • Rules written in traditional notation (CIDR/Port).
    • Can specify both ALLOW and DENY rules.
  • One-to-many relationship with subnets, one NACL can associated with many subnets, but each subnet can only have one NACL.
  • If you define ingress rules you have to manually configure all possible egress ports and vice versa, e.g. all ephemeral ports to which traffic returns.
  • Can be used to deny specific traffic or networks entering or leaving a subnet which is not desired.
  • Specific to subnets, you can’t tie them to EC2 instances directly.
  • Useful for separation-of-concerns model of security, but should be used sparingly.

VPS Security Groups

  • Dynamic stateful firewall security control, applied to network interfaces that support both ingress and egress rules.
  • Dynamic, when you update a security group the change is propagated across all running instances associated with the rule.
  • Operate inside any subnet and across any AZ, within a specific VPC; they are completely perpendicular to routing and subnet NACLs.
  • They can be applied and removed from VPC-based instances at any time, multiple security groups per instance are allowed.
  • Rules reference source or destination IP CIDRs and port numbers.
    • Rules can ALLOW only, DENY is implicit for non-specified rules.
  • Rules can also reference other security groups. As new instances are created the security framework dynamically extends, e.g. Auto-Scaling groups.
    • Applies across peering connections even across multiple accounts.
  • Default deny and implicit deny in the event overlapping rules in different security groups.

The security rules evaluation diagram below shows the packet flow from an on-premises network to a proxy server in a private VPC subnet, which in turn sends a packet to a NAT Gateway, which forwards it to the requested host on the Internet.  The route table, network ACL and security group rules are processed entirely in the hypervisor layer.

VPC Security Rules Evaluation

Elastic Network Interfaces

  • Attached by default to instances.
  • Virtual network interface that can be attached, detached and moved between instances in the same subnet.
  • Provides one primary private IP address, and supports multiple secondary private addresses.
  • Can have multiple security groups associated with it, even if detached.
  • Has a unique MAC address within your VPC.
  • Can be used to create dual-homed instances where security separation is required between front-end and back-end resources.
  • API driven, can moved between running instances programmatically within a subnet.

VPC Endpoints

  • Allow connection to an AWS service via a private connection, removes the need to have an Internet Gateway attached to a VPC.
  • Provides a virtual endpoint, vpce-xxxxx that is added as a destination in a route.
  • Can be assigned a specific security policy limiting the scope of services via the VPC Endpoint.
  • Any NACLs used on a subnet must allow communication to the public IP addresses of the AWS service, and associated return traffic.
  • Requires that you enable DNS resolution via VPC, cannot be used with own DNS running on EC2 performing recursive queries.
  • Provides VPC information to AWS service, therefore policies based on source IP need to be updated to make use of VPC identity.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s