Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

AWS VPC

created Jan 08, 2024updated May 26, 20246 min read

An AWS VPC can be seen as virtual network inside AWS.

  • VPC is per-region
  • regionally resilient (see subnets)
  • by default, private and isolated from other VPCs
  • Each VPC has a CIDR block
  • An account has max 1 default and many custom VPCs
    • default VPC
      • default VPC can be removed and recreated
      • some services expect default VPC to be present
      • not likely going to be used for actual deployment
      • Default VPCs always have the same CIDR block: 172.31.0.0/16
  • A VPC has 1 subnet for each AZ. If one AZ/subnet fails, other subnets can still keep the VPC up.
    • per-AZ subnets have /20 CIDR block
  • Each VPC have
    • Internet Gateway (IGW)
    • Security Group (SG)
    • Network ACL (NACL)
  • Default VPC assigns IPv4 addresses to its services.
  • Avoid default VPC for production

Custom VPC Sizing and Structure

  • When creating VPCs
    • Carefully consider IP range (CIDR block) for VPC in advance, since it cannot be changed later
    • What is the size of the VPC? How many services/instances will be in the VPC? Try to predict the future use cases.
    • Choose VPC range that does not conflict with other VPCs, vendors, or on-prem networkx.
    • VPC structure: tiers and resiliency (AZ)
  • Sizing: planning CIDR ranges
    • minimum size /28 (16 IPs), maximum /16 (65536 IPs)
    • avoid common ranges to prevent future issues, 10.0-10.10, so 10.16 would be a nice starting point
    • What is the highest number of regions that the business could use? Use 2+ unique networks per region per environment (general, prod, staging, dev) (e.g. us-east-2 dev #1 would have 10.16.0.0/16 and us-east-2 prod #1 would have 10.18.0.0/16)
  • Structuring
    • How many subnets will be used to organize services?
    • How many hosts/IPs will be necessary?
    • Determine number of AZs to use (e.g., 3 AZs for actual use, with a spare for reserve)
    • Split into environments (e.g., dev, staging, prod, and a spare)
      • More realistically, environment are placed in different member accounts and different VPCs.
    • Split into tiers (e.g. web, application, database, and a spare)
    • This means 4 AZs x 4 environments x 4 tiers = 64 subnets, which splits a /16 subnet to 64 /22 subnets (/18 /24 etc).
    • VPC planning can also be planned bottom-up (determine required services first, etc)

Custom VPC Architecturing

  • Avoid using Bastion hosts for private VPC access
  • Traffic into and out from a VPC is denied by default
  • default vs dedicated tenancy: provision resource on shared hardware or dedicated hardware
    • Beware: if dedicated tenancy is configured on VPC level, then all resources in that VPC must use dedicated hardware (costly), while using default tenancy allows customizing per-resource tenancy later on
  • Each VPC has one primary private IPv4 CIDR block
    • min /28 (16 IPs) and max /16 (65,536 IPs)
    • optional: secondary IPv4 blocks can also be created
    • optional: single assigned IPv6 CIDR block, look towards using IPv6 as default in future; all IPv6 addresses are publicly routable (not private vs public block distinction), but access can be configured
  • VPC DNS service
    • VPC DNS IP: VPC base IP + 2 (10.0.0.0/16 10.0.0.2)
    • main settings
      • enableDnsHostnames: give instances with IP addresses a domain name
      • enableDnsSupport: enable DNS resolution in VPC
  • Subnets in a VPC can communicate to each other by default. Only access across VPC boundary is blocked.
  • Each subnet has 5 reserved IP addresses.
    • .0 = network address
    • .1 = VPC router network interface
    • .2 = reserved for DNS
    • .3 = reserved for future use
    • .255 = reserved; note that this actually cannot be used for broadcasting
  • 1 DHCP Options set per VPC; DHCP option sets can be created but not edited
  • Per-subnet IP address setting
    • can auto-assign public IPv4 to in-subnet resources
    • can auto-assign public IPv6 to in-subnet resources

VPC Routing

See: AWS Internet Gateway

  • VPC router is a HA device that routes traffic between subnets. The router can be configured with route tables.
    • Each subnet may have one route table max.
    • If no route table is configured for a subnet, the VPC main route table is used by default.
  • Route table is made of routes. A route is can be a single IP or a network range. A packet leaving the VPC is routed based on which route match (greatest subnet mask is prioritized, except…).
    • If route is local, the route matches an address within the VPC.
    • Local routes always take priority over other routes regardless of how high the subnet mask is.

Trying to access internet from private subnet?

If you have a compute in a private subnet and want to access internet without giving it a public IP, consider using a NAT instance such as fck-nat or alternat. These are much more affordable compared to using a NAT Gateway due to minimal hourly fees (EC2 is much cheaper) and their lack of egress cost.

Bastion Host/Jumpbox

  • A host (e.g. EC2 instance) used to access private VPC resources (private EC2 instances).
  • Usually accept limited IP addresses.
  • Better alternatives exist now.
  • For better security, only allow access to the bastion host through web console (Session Manager) or VPN (and the VPN shouldn’t allow SSH access from all IPs).

NACL

NACL: Network Access Control Lists

  • NACL is a firewall that can be assigned to a subnet. Traffic between resources within a subnet is not affected. Each subnet can only have one NACL, though a NACL can be assigned to multiple subnets.
  • NACL have 2 rulesets: inbound & outbound (not necessarily request and response!)
  • NACLs are stateless firewalls.
  • A rule can be explicit allow or explicit deny. .
  • Each rule has a rule number (inbound rules can have the same rule numbers as outbound rules; they don’t need to be unique across rulesets). Rules are evaluated in order of lowest rule number, and AWS applies the first rule that match the traffic. A wildcard rule number can be specified to default deny or allow all traffic that doesn’t match a rule.
  • Since it’s stateless, we need to allow all ephemeral ports for outbound traffic.
  • When an instance in subnet A talks with an instance in subnet B, we need to create four rules (two for A, two for B): A out (A sends request from ephemeral port), B in (B listens for request on a well-known port), B out (B sends response from ephemeral port), A in (A receives response from ephemeral port).
  • NACLs can be overkill. For most use cases, use security groups.

Graph View

Backlinks