(net301) new capabilities for amazon virtual private cloud
TRANSCRIPT
![Page 1: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Camil Samaha, AWS Solutions Architecture
October 2015
NET301
NextGen NetworkingNew Capabilities for Amazon Virtual
Private Cloud
![Page 2: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/2.jpg)
What to expect from the session
New capabilities for Amazon VPC
VPC Endpoints
• Generic capability
• First VPCE type available is for Amazon S3
VPC Flow Logs
• Netflow-like data from elastic network interfaces
![Page 3: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/3.jpg)
VPC Endpoints
![Page 4: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/4.jpg)
Problem statement
• AWS “abstracted services”[1] generally have service
endpoints on the public address side of an AWS region
• How best to reach those endpoints from inside your
VPC?
[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7
![Page 5: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/5.jpg)
AZ: Availability Zone
![Page 6: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/6.jpg)
aws ec2 describe-route-tables --route-table-ids rtb-c9d737ad
|+----------------------------------------------------+|||| Routes |||||+-----------------------+------------+-------------+||||| DestinationCidrBlock | GatewayId | State ||||+-----------------------+------------+--------------||||| 10.10.0.0/16 | local | active ||||+-----------------------+------------+-------------+||
Routes: local connectivity
Traffic to the VPC’s range stays
in the VPC
![Page 7: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/7.jpg)
Establish public connectivity
aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
The default VPC is already
configured this way
![Page 8: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/8.jpg)
Routes: Internet connectivity
aws ec2 describe-route-tables --route-table-ids rtb-c9d737ad
|+----------------------------------------------------+|||| Routes |||||+-----------------------+------------+-------------+||||| DestinationCidrBlock | GatewayId | State ||||+-----------------------+------------+--------------||||| 10.10.0.0/16 | local | active ||||| 0.0.0.0/0 | igw-5a1ae13f | active ||+----------------------------------------------------+||
Everything not destined for the
VPC goes to the Internet
![Page 9: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/9.jpg)
![Page 10: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/10.jpg)
Reaching public endpoints
Public IPs and IGWPros
• Highly available
• Horizontally scalable
• Can restrict destination ports/ CIDRs
Cons
• Public IPs; security controls are limited
• Can reach entire service (e.g. all S3 buckets)
NAT/PAT server(s)Pros
• Central control
• All protocols
Cons
• Availability risks
• Scaling hard, limited
• Lots of work to manage
• Security limitations similar to use of IGW
Proxy server(s)
Pros
• Central control
• Can scale fairly well
• Many security options
Cons
• Availability risks
• Lots of work to manage and scale
• Works only with HTTP/S
![Page 11: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/11.jpg)
VPC endpoints to the rescue
• No need for public IP addresses, NAT/PAT, or proxies
• Highly available; no SPOF
• Practically infinite horizontal scalability
• Rich security controls
![Page 12: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/12.jpg)
Amazon S3 without an Internet gateway
![Page 13: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/13.jpg)
Routes: Amazon S3 connectivity
aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a
|+-------------------------------------------------------------------+|||| Routes |||||+-----------------------+-----------------------------------------+||||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||||+-----------------------+-------------------------+----------------||||| 10.10.0.0/16 | | local ||||| | pl-68a54001 | vpce-a610f4cf ||+-------------------------+-------------------------+---------------+||
![Page 14: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/14.jpg)
The Amazon S3 Prefix list
aws ec2 describe-prefix-lists --prefix-list-ids pl-68a54001
--------------------------------------------------| DescribePrefixLists |+------------------------------------------------+|| PrefixLists |||+---------------+------------------------------+||| PrefixListId | PrefixListName |||+---------------+------------------------------+||| pl-68a54001 | com.amazonaws.us-west-2.s3 |||+---------------+------------------------------+|||| Cidrs |||||+--------------------------------------------+||||| 54.231.160.0/19 |||||+--------------------------------------------+||
IP range for Amazon S3
Changes over time and is managed by
AWS
![Page 15: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/15.jpg)
Rich security controls
• New route entry
• As many endpoints per VPC as you like, but maximum one
assigned route per subnet
• New logical destination address for security group
outbound traffic rules
• Thus, instance-level control through security groups
![Page 16: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/16.jpg)
Rich security controls (cont.)
• Policies on VPC endpoints
• Logically, resource policies (i.e., associated with resource rather
than principal)
• Constrain principals, actions, destination buckets, paths within
buckets
• S3 bucket policies
• Constrain source VPCs and/or VPC endpoints
• All policies ANDed together (IAM, VPC endpoints, S3)
![Page 17: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/17.jpg)
VPC endpoint policy example
{ "Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}In English: Calls via this VPC endpoint are
allowed Get/Put to my_secure_bucket
![Page 18: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/18.jpg)
S3 bucket policy example #1
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf” }
}
}
]
}
In English: Deny access to this bucket to all calls
except those coming via this VPC endpoint
![Page 19: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/19.jpg)
S3 bucket policy example #2
{ "Version": "2012-10-17”,
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpc": "vpc-c15180a4” }
}
}
]
}
In English: Deny access to this bucket to all
calls except those coming from this VPC
![Page 20: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/20.jpg)
Demo 1
![Page 21: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/21.jpg)
Demo 1
NAT
![Page 22: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/22.jpg)
# node runTest.js testData1Starting...Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.1.238/api/full?b=tstbktvpc&g=nat&p=natInitiating test to http://10.20.2.38/api/full?b=tstbktvpc&g=vpce&p=vpceTest running...{"group":"igw","bucket":"tstbktvpc","object":"YMxa6QEKwNYp8OW2","type":"full"}{"group":"nat","bucket":"tstbktvpc","object":"JVWXO38lIlIKOP9V","type":"full"}{"group":"vpce","bucket":"tstbktvpc","object":"ezRl2CPObn4rCTq6","type":"full"}
#
Cluster size of 1
1 x 10 GB file upload; 1 x 10 GB file download
![Page 23: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/23.jpg)
1 node
1 node
1 node
tx
rx
![Page 24: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/24.jpg)
VPCE - 1 node
NAT- 1 node
![Page 25: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/25.jpg)
# node runTest.js testData10Starting...Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.225/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.226/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.215/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.216/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.142/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.143/api/full?b=tstbktvpc&g=igw&p=igw...
Cluster size of 10
10 x 10 GB file upload; 10 x 10 GB file download
![Page 26: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/26.jpg)
tx
rx
1 node
1 node
1 node
10 nodes
10 nodes
10 nodes
![Page 27: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/27.jpg)
VPCE - 1 node
NAT - 1 node NAT - 10 nodes
VPCE - 10 nodes
![Page 28: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/28.jpg)
1 node
10 nodes
1 node
1 node
10 nodes
10 nodes
![Page 29: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/29.jpg)
VPCE - 1 node
NAT - 1 node NAT - 10 nodes
VPCE - 10 nodes
![Page 30: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/30.jpg)
VPC Flow Logs
![Page 31: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/31.jpg)
VPC Flow Logs
• Long-standing ask: greater visibility into VPC network
behavior
• Specifically, what about those security group and network ACL
DENY cases?
• VPC Flow Logs provide the answer
![Page 32: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/32.jpg)
See all of the traffic at your instances
• Visibility into effects of
security group rules
• Troubleshooting
network connectivity
• Ability to analyze traffic
![Page 33: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/33.jpg)
VPC Flow Logs (cont.)
• Enabled at the ENI, subnet, or VPC level
• Traffic data surfaced as “flow log records” per ENI
• Exposed as CloudWatch log groups and streams
• Data accumulated and published to CloudWatch Logs at
~10 minute intervals
• Normal CloudWatch Logs groups/streams with all
related features
• For example, new CloudWatch Logs -> Amazon Kinesis stream
integration
![Page 34: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/34.jpg)
Flow Log record (text, space-delimited)
Field Description
version The VPC Flow Logs version.
account-id The AWS account ID for the Flow Log.
interface-id The ID of the network interface for which the log stream applies.
srcaddr The source IP address. The IP address of the network interface is always its private IP address.
dstaddr The destination IP address. The IP address of the network interface is always its private IP address.
srcport The source port of the traffic.
dstport The destination port of the traffic.
protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers.
packets The number of packets transferred during the capture window.
bytes The number of bytes transferred during the capture window.
start The time, in Unix seconds, of the start of the capture window.
end The time, in Unix seconds, of the end of the capture window.
action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or network ACLs.REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
log-status The logging status of the flow log:OK: Data is logging normally to CloudWatch Logs.NODATA: There was no network traffic to or from the network interface during the capture window.SKIPDATA: Some flow log records were skipped during the capture window.
![Page 35: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/35.jpg)
Example records
Inbound SSH traffic allowed
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22
6 20 4249 1438530010 1438530070 ACCEPT OK
![Page 36: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/36.jpg)
Example records (cont.)
Inbound RDP traffic denied
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389
6 1 231 1439530000 1439530060 REJECT OK
![Page 37: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/37.jpg)
Demo 2
![Page 38: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/38.jpg)
![Page 39: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/39.jpg)
![Page 40: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/40.jpg)
[version, account, interface, srcaddr, dstaddr, srcport, dstport=22, protocol,
packets, bytes, start, end, action=REJECT, status=OK]
![Page 41: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/41.jpg)
![Page 42: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/42.jpg)
![Page 43: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/43.jpg)
![Page 44: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/44.jpg)
![Page 45: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/45.jpg)
![Page 46: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/46.jpg)
![Page 47: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/47.jpg)
![Page 48: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/48.jpg)
![Page 49: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/49.jpg)
VPC networking
• Continually advancing the state of the art
• Focused on improving control and visibility
• Integration with third-party monitoring and management
tools
• Key element of the AWS increasingly powerful security
suite
![Page 50: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/50.jpg)
Thank you!
NET301
![Page 51: (NET301) New Capabilities for Amazon Virtual Private Cloud](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a207651a28ab40098b511f/html5/thumbnails/51.jpg)
Remember to complete
your evaluations!