(NET301) New Capabilities for Amazon Virtual Private Cloud

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Camil Samaha, AWS Solutions Architecture
October 2015
NET301
NextGen Networking
New Capabilities for Amazon Virtual
Private Cloud

What to expect from the session
New capabilities for Amazon VPC
VPC Endpoints
• Generic capability
• First VPCE type available is for Amazon S3
VPC Flow Logs
• Netflow-like data from elastic network interfaces

Problem statement
• AWS “abstracted services”[1] generally have service
endpoints on the public address side of an AWS region
• How best to reach those endpoints from inside your
VPC?
[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7

aws ec2 describe-route-tables --route-table-ids
rtb-c9d737ad
|+----------------------------------------------------+|
||| Routes |||
||+-----------------------+------------+-------------+||
||| DestinationCidrBlock | GatewayId | State ||
||+-----------------------+------------+--------------||
||| 10.10.0.0/16 | local | active ||
||+-----------------------+------------+-------------+||
Routes: local connectivity
Traffic to the VPC’s range stays
in the VPC

Establish public connectivity
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
The default VPC is already
configured this way

Routes: Internet connectivity
aws ec2 describe-route-tables --route-table-ids
rtb-c9d737ad
|+----------------------------------------------------+|
||| Routes |||
||+-----------------------+------------+-------------+||
||| DestinationCidrBlock | GatewayId | State ||
||+-----------------------+------------+--------------||
||| 10.10.0.0/16 | local | active ||
||| 0.0.0.0/0 | igw-5a1ae13f | active ||
+----------------------------------------------------+||
Everything not destined for the
VPC goes to the Internet

Reaching public endpoints
Public IPs and IGW
Pros
• Highly available
• Horizontally
scalable
• Can restrict
destination ports/
CIDRs
Cons
• Public IPs; security
controls are limited
• Can reach entire
service (e.g. all S3
buckets)
NAT/PAT server(s)
Pros
• Central control
• All protocols
Cons
• Availability risks
• Scaling hard,
limited
• Lots of work to
manage
• Security limitations
similar to use of
IGW
Proxy server(s)
Pros
• Central control
• Can scale fairly well
• Many security
options
Cons
• Availability risks
• Lots of work to
manage and scale
• Works only with
HTTP/S

VPC endpoints to the rescue
• No need for public IP addresses, NAT/PAT, or proxies
• Highly available; no SPOF
• Practically infinite horizontal scalability
• Rich security controls

Amazon S3 without an Internet gateway

Routes: Amazon S3 connectivity
aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a
|+-------------------------------------------------------------------+|
||| Routes |||
||+-----------------------+-----------------------------------------+||
||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||
||+-----------------------+-------------------------+----------------||
||| 10.10.0.0/16 | | local ||
||| | pl-68a54001 | vpce-a610f4cf ||
+-------------------------+-------------------------+---------------+||

The Amazon S3 Prefix list
aws ec2 describe-prefix-lists --prefix-list-ids pl-68a54001
--------------------------------------------------
| DescribePrefixLists |
+------------------------------------------------+
|| PrefixLists ||
|+---------------+------------------------------+|
|| PrefixListId | PrefixListName ||
|+---------------+------------------------------+|
|| pl-68a54001 | com.amazonaws.us-west-2.s3 ||
|+---------------+------------------------------+|
||| Cidrs |||
||+--------------------------------------------+||
||| 54.231.160.0/19 |||
||+--------------------------------------------+||
IP range for Amazon S3
Changes over time and is managed by
AWS

Rich security controls
• New route entry
• As many endpoints per VPC as you like, but maximum one
assigned route per subnet
• New logical destination address for security group
outbound traffic rules
• Thus, instance-level control through security groups

Rich security controls (cont.)
• Policies on VPC endpoints
• Logically, resource policies (i.e., associated with resource rather
than principal)
• Constrain principals, actions, destination buckets, paths within
buckets
• S3 bucket policies
• Constrain source VPCs and/or VPC endpoints
• All policies ANDed together (IAM, VPC endpoints, S3)

VPC endpoint policy example
{ "Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
In English: Calls via this VPC endpoint are
allowed Get/Put to my_secure_bucket

S3 bucket policy example #1
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf” }
}
}
]
}
In English: Deny access to this bucket to all calls
except those coming via this VPC endpoint

S3 bucket policy example #2
{ "Version": "2012-10-17”,
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpc": "vpc-c15180a4” }
}
}
]
}
In English: Deny access to this bucket to all
calls except those coming from this VPC

# node runTest.js testData1
Starting...
Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igw
Initiating test to http://10.20.1.238/api/full?b=tstbktvpc&g=nat&p=nat
Initiating test to http://10.20.2.38/api/full?b=tstbktvpc&g=vpce&p=vpce
Test running...
{"group":"igw","bucket":"tstbktvpc","object":"YMxa6QEKwNYp8OW2","type":"full"}
{"group":"nat","bucket":"tstbktvpc","object":"JVWXO38lIlIKOP9V","type":"full"}
{"group":"vpce","bucket":"tstbktvpc","object":"ezRl2CPObn4rCTq6","type":"full"}
#
Cluster size of 1
1 x 10 GB file upload; 1 x 10 GB file download

# node runTest.js testData10
Starting...
...
Cluster size of 10
10 x 10 GB file upload; 10 x 10 GB file download

tx
rx
1 node
1 node
1 node
10 nodes
10 nodes
10 nodes

VPCE - 1 node
NAT - 1 node NAT - 10 nodes
VPCE - 10 nodes

1 node
10 nodes
1 node
1 node
10 nodes
10 nodes

VPC Flow Logs
• Long-standing ask: greater visibility into VPC network
behavior
• Specifically, what about those security group and network ACL
DENY cases?
• VPC Flow Logs provide the answer

See all of the traffic at your instances
• Visibility into effects of
security group rules
• Troubleshooting
network connectivity
• Ability to analyze traffic

VPC Flow Logs (cont.)
• Enabled at the ENI, subnet, or VPC level
• Traffic data surfaced as “flow log records” per ENI
• Exposed as CloudWatch log groups and streams
• Data accumulated and published to CloudWatch Logs at
~10 minute intervals
• Normal CloudWatch Logs groups/streams with all
related features
• For example, new CloudWatch Logs -> Amazon Kinesis stream
integration

Flow Log record (text, space-delimited)
Field Description
version The VPC Flow Logs version.
account-id The AWS account ID for the Flow Log.
interface-id The ID of the network interface for which the log stream applies.
srcaddr The source IP address. The IP address of the network interface is always its private IP address.
dstaddr The destination IP address. The IP address of the network interface is always its private IP address.
srcport The source port of the traffic.
dstport The destination port of the traffic.
protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers.
packets The number of packets transferred during the capture window.
bytes The number of bytes transferred during the capture window.
start The time, in Unix seconds, of the start of the capture window.
end The time, in Unix seconds, of the end of the capture window.
action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or
network ACLs.
REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
log-status The logging status of the flow log:
OK: Data is logging normally to CloudWatch Logs.
NODATA: There was no network traffic to or from the network interface during the capture window.
SKIPDATA: Some flow log records were skipped during the capture window.

Example records
Inbound SSH traffic allowed
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22
6 20 4249 1438530010 1438530070 ACCEPT OK

Example records (cont.)
Inbound RDP traffic denied
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389
6 1 231 1439530000 1439530060 REJECT OK

[version, account, interface, srcaddr, dstaddr, srcport, dstport=22, protocol,
packets, bytes, start, end, action=REJECT, status=OK]

VPC networking
• Continually advancing the state of the art
• Focused on improving control and visibility
• Integration with third-party monitoring and management
tools
• Key element of the AWS increasingly powerful security
suite

Remember to complete
your evaluations!

(NET301) New Capabilities for Amazon Virtual Private Cloud

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to (NET301) New Capabilities for Amazon Virtual Private Cloud

Similar to (NET301) New Capabilities for Amazon Virtual Private Cloud (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

(NET301) New Capabilities for Amazon Virtual Private Cloud