Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(NET301) New Capabilities for Amazon Virtual Private Cloud

1,554 views

Published on

Amazon's Virtual Private Cloud (Amazon VPC) continues to evolve with new capabilities and enhancements. These features give you increasingly greater isolation, control, and visibility at the all-important networking layer. In this session, we review some of the latest changes, discuss their value, and describe their use cases.

Published in: Technology
  • Be the first to comment

(NET301) New Capabilities for Amazon Virtual Private Cloud

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Camil Samaha, AWS Solutions Architecture October 2015 NET301 NextGen Networking New Capabilities for Amazon Virtual Private Cloud
  2. 2. What to expect from the session New capabilities for Amazon VPC VPC Endpoints • Generic capability • First VPCE type available is for Amazon S3 VPC Flow Logs • Netflow-like data from elastic network interfaces
  3. 3. VPC Endpoints
  4. 4. Problem statement • AWS “abstracted services”[1] generally have service endpoints on the public address side of an AWS region • How best to reach those endpoints from inside your VPC? [1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7
  5. 5. AZ: Availability Zone
  6. 6. aws ec2 describe-route-tables --route-table-ids rtb-c9d737ad |+----------------------------------------------------+| ||| Routes ||| ||+-----------------------+------------+-------------+|| ||| DestinationCidrBlock | GatewayId | State || ||+-----------------------+------------+--------------|| ||| 10.10.0.0/16 | local | active || ||+-----------------------+------------+-------------+|| Routes: local connectivity Traffic to the VPC’s range stays in the VPC
  7. 7. Establish public connectivity aws ec2 create-internet-gateway aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f The default VPC is already configured this way
  8. 8. Routes: Internet connectivity aws ec2 describe-route-tables --route-table-ids rtb-c9d737ad |+----------------------------------------------------+| ||| Routes ||| ||+-----------------------+------------+-------------+|| ||| DestinationCidrBlock | GatewayId | State || ||+-----------------------+------------+--------------|| ||| 10.10.0.0/16 | local | active || ||| 0.0.0.0/0 | igw-5a1ae13f | active || +----------------------------------------------------+|| Everything not destined for the VPC goes to the Internet
  9. 9. Reaching public endpoints Public IPs and IGW Pros • Highly available • Horizontally scalable • Can restrict destination ports/ CIDRs Cons • Public IPs; security controls are limited • Can reach entire service (e.g. all S3 buckets) NAT/PAT server(s) Pros • Central control • All protocols Cons • Availability risks • Scaling hard, limited • Lots of work to manage • Security limitations similar to use of IGW Proxy server(s) Pros • Central control • Can scale fairly well • Many security options Cons • Availability risks • Lots of work to manage and scale • Works only with HTTP/S
  10. 10. VPC endpoints to the rescue • No need for public IP addresses, NAT/PAT, or proxies • Highly available; no SPOF • Practically infinite horizontal scalability • Rich security controls
  11. 11. Amazon S3 without an Internet gateway
  12. 12. Routes: Amazon S3 connectivity aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a |+-------------------------------------------------------------------+| ||| Routes ||| ||+-----------------------+-----------------------------------------+|| ||| DestinationCidrBlock | DestinationPrefixListId | GatewayId || ||+-----------------------+-------------------------+----------------|| ||| 10.10.0.0/16 | | local || ||| | pl-68a54001 | vpce-a610f4cf || +-------------------------+-------------------------+---------------+||
  13. 13. The Amazon S3 Prefix list aws ec2 describe-prefix-lists --prefix-list-ids pl-68a54001 -------------------------------------------------- | DescribePrefixLists | +------------------------------------------------+ || PrefixLists || |+---------------+------------------------------+| || PrefixListId | PrefixListName || |+---------------+------------------------------+| || pl-68a54001 | com.amazonaws.us-west-2.s3 || |+---------------+------------------------------+| ||| Cidrs ||| ||+--------------------------------------------+|| ||| 54.231.160.0/19 ||| ||+--------------------------------------------+|| IP range for Amazon S3 Changes over time and is managed by AWS
  14. 14. Rich security controls • New route entry • As many endpoints per VPC as you like, but maximum one assigned route per subnet • New logical destination address for security group outbound traffic rules • Thus, instance-level control through security groups
  15. 15. Rich security controls (cont.) • Policies on VPC endpoints • Logically, resource policies (i.e., associated with resource rather than principal) • Constrain principals, actions, destination buckets, paths within buckets • S3 bucket policies • Constrain source VPCs and/or VPC endpoints • All policies ANDed together (IAM, VPC endpoints, S3)
  16. 16. VPC endpoint policy example { "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"] } ] } In English: Calls via this VPC endpoint are allowed Get/Put to my_secure_bucket
  17. 17. S3 bucket policy example #1 { "Version": "2012-10-17", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf” } } } ] } In English: Deny access to this bucket to all calls except those coming via this VPC endpoint
  18. 18. S3 bucket policy example #2 { "Version": "2012-10-17”, "Statement": [ { "Sid": "Access-to-specific-VPC-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpc": "vpc-c15180a4” } } } ] } In English: Deny access to this bucket to all calls except those coming from this VPC
  19. 19. Demo 1
  20. 20. Demo 1 NAT
  21. 21. # node runTest.js testData1 Starting... Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igw Initiating test to http://10.20.1.238/api/full?b=tstbktvpc&g=nat&p=nat Initiating test to http://10.20.2.38/api/full?b=tstbktvpc&g=vpce&p=vpce Test running... {"group":"igw","bucket":"tstbktvpc","object":"YMxa6QEKwNYp8OW2","type":"full"} {"group":"nat","bucket":"tstbktvpc","object":"JVWXO38lIlIKOP9V","type":"full"} {"group":"vpce","bucket":"tstbktvpc","object":"ezRl2CPObn4rCTq6","type":"full"} # Cluster size of 1 1 x 10 GB file upload; 1 x 10 GB file download
  22. 22. 1 node 1 node 1 node tx rx
  23. 23. VPCE - 1 node NAT- 1 node
  24. 24. # node runTest.js testData10 Starting... Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igw Initiating test to http://10.20.0.225/api/full?b=tstbktvpc&g=igw&p=igw Initiating test to http://10.20.0.226/api/full?b=tstbktvpc&g=igw&p=igw Initiating test to http://10.20.0.215/api/full?b=tstbktvpc&g=igw&p=igw Initiating test to http://10.20.0.216/api/full?b=tstbktvpc&g=igw&p=igw Initiating test to http://10.20.0.142/api/full?b=tstbktvpc&g=igw&p=igw Initiating test to http://10.20.0.143/api/full?b=tstbktvpc&g=igw&p=igw ... Cluster size of 10 10 x 10 GB file upload; 10 x 10 GB file download
  25. 25. tx rx 1 node 1 node 1 node 10 nodes 10 nodes 10 nodes
  26. 26. VPCE - 1 node NAT - 1 node NAT - 10 nodes VPCE - 10 nodes
  27. 27. 1 node 10 nodes 1 node 1 node 10 nodes 10 nodes
  28. 28. VPCE - 1 node NAT - 1 node NAT - 10 nodes VPCE - 10 nodes
  29. 29. VPC Flow Logs
  30. 30. VPC Flow Logs • Long-standing ask: greater visibility into VPC network behavior • Specifically, what about those security group and network ACL DENY cases? • VPC Flow Logs provide the answer
  31. 31. See all of the traffic at your instances • Visibility into effects of security group rules • Troubleshooting network connectivity • Ability to analyze traffic
  32. 32. VPC Flow Logs (cont.) • Enabled at the ENI, subnet, or VPC level • Traffic data surfaced as “flow log records” per ENI • Exposed as CloudWatch log groups and streams • Data accumulated and published to CloudWatch Logs at ~10 minute intervals • Normal CloudWatch Logs groups/streams with all related features • For example, new CloudWatch Logs -> Amazon Kinesis stream integration
  33. 33. Flow Log record (text, space-delimited) Field Description version The VPC Flow Logs version. account-id The AWS account ID for the Flow Log. interface-id The ID of the network interface for which the log stream applies. srcaddr The source IP address. The IP address of the network interface is always its private IP address. dstaddr The destination IP address. The IP address of the network interface is always its private IP address. srcport The source port of the traffic. dstport The destination port of the traffic. protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers. packets The number of packets transferred during the capture window. bytes The number of bytes transferred during the capture window. start The time, in Unix seconds, of the start of the capture window. end The time, in Unix seconds, of the end of the capture window. action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or network ACLs. REJECT: The recorded traffic was not permitted by the security groups or network ACLs. log-status The logging status of the flow log: OK: Data is logging normally to CloudWatch Logs. NODATA: There was no network traffic to or from the network interface during the capture window. SKIPDATA: Some flow log records were skipped during the capture window.
  34. 34. Example records Inbound SSH traffic allowed 2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK
  35. 35. Example records (cont.) Inbound RDP traffic denied 2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389 6 1 231 1439530000 1439530060 REJECT OK
  36. 36. Demo 2
  37. 37. [version, account, interface, srcaddr, dstaddr, srcport, dstport=22, protocol, packets, bytes, start, end, action=REJECT, status=OK]
  38. 38. VPC networking • Continually advancing the state of the art • Focused on improving control and visibility • Integration with third-party monitoring and management tools • Key element of the AWS increasingly powerful security suite
  39. 39. Thank you! NET301
  40. 40. Remember to complete your evaluations!

×