Amazon's Virtual Private Cloud (Amazon VPC) continues to evolve with new capabilities and enhancements. These features give you increasingly greater isolation, control, and visibility at the all-important networking layer. In this session, we review some of the latest changes, discuss their value, and describe their use cases.
2. What to expect from the session
New capabilities for Amazon VPC
VPC Endpoints
• Generic capability
• First VPCE type available is for Amazon S3
VPC Flow Logs
• Netflow-like data from elastic network interfaces
4. Problem statement
• AWS “abstracted services”[1] generally have service
endpoints on the public address side of an AWS region
• How best to reach those endpoints from inside your
VPC?
[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7
6. aws ec2 describe-route-tables --route-table-ids
rtb-c9d737ad
|+----------------------------------------------------+|
||| Routes |||
||+-----------------------+------------+-------------+||
||| DestinationCidrBlock | GatewayId | State ||
||+-----------------------+------------+--------------||
||| 10.10.0.0/16 | local | active ||
||+-----------------------+------------+-------------+||
Routes: local connectivity
Traffic to the VPC’s range stays
in the VPC
7. Establish public connectivity
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
The default VPC is already
configured this way
8. Routes: Internet connectivity
aws ec2 describe-route-tables --route-table-ids
rtb-c9d737ad
|+----------------------------------------------------+|
||| Routes |||
||+-----------------------+------------+-------------+||
||| DestinationCidrBlock | GatewayId | State ||
||+-----------------------+------------+--------------||
||| 10.10.0.0/16 | local | active ||
||| 0.0.0.0/0 | igw-5a1ae13f | active ||
+----------------------------------------------------+||
Everything not destined for the
VPC goes to the Internet
9.
10. Reaching public endpoints
Public IPs and IGW
Pros
• Highly available
• Horizontally
scalable
• Can restrict
destination ports/
CIDRs
Cons
• Public IPs; security
controls are limited
• Can reach entire
service (e.g. all S3
buckets)
NAT/PAT server(s)
Pros
• Central control
• All protocols
Cons
• Availability risks
• Scaling hard,
limited
• Lots of work to
manage
• Security limitations
similar to use of
IGW
Proxy server(s)
Pros
• Central control
• Can scale fairly well
• Many security
options
Cons
• Availability risks
• Lots of work to
manage and scale
• Works only with
HTTP/S
11. VPC endpoints to the rescue
• No need for public IP addresses, NAT/PAT, or proxies
• Highly available; no SPOF
• Practically infinite horizontal scalability
• Rich security controls
14. The Amazon S3 Prefix list
aws ec2 describe-prefix-lists --prefix-list-ids pl-68a54001
--------------------------------------------------
| DescribePrefixLists |
+------------------------------------------------+
|| PrefixLists ||
|+---------------+------------------------------+|
|| PrefixListId | PrefixListName ||
|+---------------+------------------------------+|
|| pl-68a54001 | com.amazonaws.us-west-2.s3 ||
|+---------------+------------------------------+|
||| Cidrs |||
||+--------------------------------------------+||
||| 54.231.160.0/19 |||
||+--------------------------------------------+||
IP range for Amazon S3
Changes over time and is managed by
AWS
15. Rich security controls
• New route entry
• As many endpoints per VPC as you like, but maximum one
assigned route per subnet
• New logical destination address for security group
outbound traffic rules
• Thus, instance-level control through security groups
16. Rich security controls (cont.)
• Policies on VPC endpoints
• Logically, resource policies (i.e., associated with resource rather
than principal)
• Constrain principals, actions, destination buckets, paths within
buckets
• S3 bucket policies
• Constrain source VPCs and/or VPC endpoints
• All policies ANDed together (IAM, VPC endpoints, S3)
17. VPC endpoint policy example
{ "Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
In English: Calls via this VPC endpoint are
allowed Get/Put to my_secure_bucket
18. S3 bucket policy example #1
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf” }
}
}
]
}
In English: Deny access to this bucket to all calls
except those coming via this VPC endpoint
19. S3 bucket policy example #2
{ "Version": "2012-10-17”,
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpc": "vpc-c15180a4” }
}
}
]
}
In English: Deny access to this bucket to all
calls except those coming from this VPC
22. # node runTest.js testData1
Starting...
Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igw
Initiating test to http://10.20.1.238/api/full?b=tstbktvpc&g=nat&p=nat
Initiating test to http://10.20.2.38/api/full?b=tstbktvpc&g=vpce&p=vpce
Test running...
{"group":"igw","bucket":"tstbktvpc","object":"YMxa6QEKwNYp8OW2","type":"full"}
{"group":"nat","bucket":"tstbktvpc","object":"JVWXO38lIlIKOP9V","type":"full"}
{"group":"vpce","bucket":"tstbktvpc","object":"ezRl2CPObn4rCTq6","type":"full"}
#
Cluster size of 1
1 x 10 GB file upload; 1 x 10 GB file download
25. # node runTest.js testData10
Starting...
Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igw
Initiating test to http://10.20.0.225/api/full?b=tstbktvpc&g=igw&p=igw
Initiating test to http://10.20.0.226/api/full?b=tstbktvpc&g=igw&p=igw
Initiating test to http://10.20.0.215/api/full?b=tstbktvpc&g=igw&p=igw
Initiating test to http://10.20.0.216/api/full?b=tstbktvpc&g=igw&p=igw
Initiating test to http://10.20.0.142/api/full?b=tstbktvpc&g=igw&p=igw
Initiating test to http://10.20.0.143/api/full?b=tstbktvpc&g=igw&p=igw
...
Cluster size of 10
10 x 10 GB file upload; 10 x 10 GB file download
31. VPC Flow Logs
• Long-standing ask: greater visibility into VPC network
behavior
• Specifically, what about those security group and network ACL
DENY cases?
• VPC Flow Logs provide the answer
32. See all of the traffic at your instances
• Visibility into effects of
security group rules
• Troubleshooting
network connectivity
• Ability to analyze traffic
33. VPC Flow Logs (cont.)
• Enabled at the ENI, subnet, or VPC level
• Traffic data surfaced as “flow log records” per ENI
• Exposed as CloudWatch log groups and streams
• Data accumulated and published to CloudWatch Logs at
~10 minute intervals
• Normal CloudWatch Logs groups/streams with all
related features
• For example, new CloudWatch Logs -> Amazon Kinesis stream
integration
34. Flow Log record (text, space-delimited)
Field Description
version The VPC Flow Logs version.
account-id The AWS account ID for the Flow Log.
interface-id The ID of the network interface for which the log stream applies.
srcaddr The source IP address. The IP address of the network interface is always its private IP address.
dstaddr The destination IP address. The IP address of the network interface is always its private IP address.
srcport The source port of the traffic.
dstport The destination port of the traffic.
protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers.
packets The number of packets transferred during the capture window.
bytes The number of bytes transferred during the capture window.
start The time, in Unix seconds, of the start of the capture window.
end The time, in Unix seconds, of the end of the capture window.
action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or
network ACLs.
REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
log-status The logging status of the flow log:
OK: Data is logging normally to CloudWatch Logs.
NODATA: There was no network traffic to or from the network interface during the capture window.
SKIPDATA: Some flow log records were skipped during the capture window.
35. Example records
Inbound SSH traffic allowed
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22
6 20 4249 1438530010 1438530070 ACCEPT OK
36. Example records (cont.)
Inbound RDP traffic denied
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389
6 1 231 1439530000 1439530060 REJECT OK
49. VPC networking
• Continually advancing the state of the art
• Focused on improving control and visibility
• Integration with third-party monitoring and management
tools
• Key element of the AWS increasingly powerful security
suite