Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Networking: New Capabilities for Amazon Virtual Private Cloud

553 views

Published on

Notes on the "Networking: New Capabilities for Amazon Virtual Private Cloud " presentation.

  • Be the first to comment

  • Be the first to like this

Networking: New Capabilities for Amazon Virtual Private Cloud

  1. 1. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Networking: New Capabilities for Amazon Virtual Private Cloud Mark Ryland Chief Architect, WWPS markry@amazon.com ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  2. 2. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 New capabilities for Amazon VPC • VPC endpoints – Generic capability – First VPCE available is for S3 • VPC Flow Logs – Netflow-like data from elastic network interfaces
  3. 3. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Problem statement • AWS “abstracted services”[1] generally have service endpoints on the public address side of an AWS region • How best to reach those endpoints from inside your VPC? [1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7
  4. 4. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Reaching public endpoints Public IPs and IGW Pros • Highly available • Horizontally scalable • Can restrict dest. ports/ CIDRs Cons • Public IPs; security controls are limited • Can reach entire S3 service NAT/PAT server(s) Pros • Central control • All protocols Cons • Availability risks • Scaling hard, limited • Lots of work to manage • Security limitations similar to use of IGW Proxy server(s) Pros • Central control • Can scale fairly well • Many security options Cons • Availability risks • Lots of work to manage and scale • Works only with HTTP/S
  5. 5. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 VPC endpoints to the rescue • No need for public IP addresses, NAT/PAT, or proxies • Highly available; no SPOF • Practically infinite horizontal scalability • Rich security controls
  6. 6. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Rich security controls • New route entry – As many endpoints per VPC as you like, but maximum one assigned route per subnet • New logical destination address for security group outbound traffic rules – Thus, instance-level control through security groups
  7. 7. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Rich security controls (cont.) • Policies on VPC endpoints – Logically, resource policies (not IAM policies) – Constrain principals, actions, destination buckets, paths within buckets • S3 bucket policies – Constrain source VPCs, VPC endpoints, both • All policies ANDed together (IAM, VPC endpoints, S3)
  8. 8. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 VPC endpoint policy example { "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"] } ] }
  9. 9. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 S3 bucket policy example #1 { "Version": "2012-10-17", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } } } ] }
  10. 10. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 S3 bucket policy example #2 { "Version": "2012-10-17", "Statement": [ { "Sid": "Access-to-specific-VPC-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpc": "vpc-111bbb22" } } } ] }
  11. 11. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 VPC Flow Logs • Longstanding ask: greater visibility into VPC network behavior – Specifically, what about those security group and network ACL DENY cases? • VPC Flow Logs provide the answer
  12. 12. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 VPC Flow Logs (cont.) • Enabled at the ENI, subnet, or VPC level • Traffic data surfaced as “flow log records” per ENI • Exposed as CloudWatch Log groups and streams • Data accumulated and published to CW Logs at ~10 minute intervals • Normal CloudWatch Logs groups/streams with all related features – For example, new CloudWatch Logs -> Amazon Kinesis stream integration
  13. 13. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Flow Log record (text, space-delimited) Field Description version The VPC Flow Logs version. account-id The AWS account ID for the Flow Log. interface-id The ID of the network interface for which the log stream applies. srcaddr The source IP address. The IP address of the network interface is always its private IP address. dstaddr The destination IP address. The IP address of the network interface is always its private IP address. srcport The source port of the traffic. dstport The destination port of the traffic. protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers. packets The number of packets transferred during the capture window. bytes The number of bytes transferred during the capture window. start The time, in Unix seconds, of the start of the capture window. end The time, in Unix seconds, of the end of the capture window. action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or network ACLs. REJECT: The recorded traffic was not permitted by the security groups or network ACLs. log-status The logging status of the flow log: OK: Data is logging normally to CloudWatch Logs. NODATA: There was no network traffic to or from the network interface during the capture window. SKIPDATA: Some flow log records were skipped during the capture window.
  14. 14. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Example records SSH traffic allowed RDP traffic denied 2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389 6 1 231 1439530000 1439530060 REJECT OK 2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK
  15. 15. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 VPC networking • Continually advancing the state of the art • Focused on improving control and visibility • Integration with third-party monitoring and management tools • Key element of the AWS increasingly powerful security suite
  16. 16. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Thank You. This presentation will be loaded to SlideShare the week following the Symposium. http://www.slideshare.net/AmazonWebServices AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015

×