Agenda for the session. 1. Creating public and private subnets with Elastic IP, Route tables, IGW and NAT Gateways 2. VPC Security components : Security Groups ( SG ), Network Access control list ( NACL ), FlowLogs. 3. Mitigating DDOS. 4. VPC Peering 5. VPC Cleanup

1. VPC Security
n|u - The Open security community
Chennai Meet
Presenter : Vinoth Kumar
Date : 17/02/2018

2. # About Me
Application security engineer.
Blogger @ http://www.tutorgeeks.net
Email @ vinothpkumar333@gmail.com
Tweet @vinothpkumar

3. Topics covered
● Introduction to VPC.
● VPC Creation.
○ Subnets, Route tables, IGW, Elastic IP, NAT Gateways
● Security Components in VPC
○ Security Groups
○ Network ACLs
○ Flow Logs
● Mitigating DDOS
● VPC Peering
● VPC Cleanup

4. Introduction to VPC
Amazon VPC enables you to launch AWS resources into a virtual network that you've defined. This virtual network
closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the
scalable infrastructure of AWS.
A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other
virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your
VPC. You can configure your VPC by modifying its IP address range, create subnets, and configure route tables,
network gateways, and security settings.

5. VPC Creation

6. VPC Sample Network

7. Security components in VPC
Amazon VPC provides features that you can use to increase and monitor the security for your VPC:
● Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both
inbound and outbound traffic at the instance level
● Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both
inbound and outbound traffic at the subnet level
● Flow logs — Capture information about the IP traffic going to and from network interfaces in
your VPC
Source : https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html

8. VPC Architecture with Network ACLs and SG
● Comparison of SG and Network ACLs
● Use Cases for SG and Network ACLs
Source: https://docs.aws.amazon.com/AmazonVPC/latest/
UserGuide/VPC_Security.html#VPC_Security_Comparison

9. Security Groups - Associated with Instances
● A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
● For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules
that control the outbound traffic. “Deny All and Allow Some” approach.
● Security groups are stateful.
● When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security
groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could
be assigned to a different set of security groups.
● You can specify allow rules, but not deny rules.
Source: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

10. Network ACLs - Associated with Subnets
● Network access control list (ACL) is a security layer for your VPC that acts as a firewall for controlling traffic
in and out of one or more subnets. NACLs is stateless
● When you add or remove rules from a network ACL, the changes are automatically applied to the subnets
● Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and
outbound IPv4 traffic.
● You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL
denies all inbound and outbound traffic until you add rules.
● Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet
with a network ACL, the subnet is automatically associated with the default network ACL.
Source: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

11. Flow Logs
● VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from
network interfaces in your VPC
● Flow log data is stored using Amazon CloudWatch Logs. After you've created a flow log, you can view and
retrieve its data in Amazon CloudWatch Logs.
● Flow logs can help you with a number of tasks; for example, to troubleshoot why specific traffic is not
reaching an instance, which in turn can help you diagnose overly restrictive security group rules. You can also
use flow logs as a security tool to monitor the traffic that is reaching your instance.
Source: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

12. Mitigating DDOS
● Have provisions to scale as traffic surges. Helps both business run and during DDOS attack.
○ ELB, Autoscaling.
● Minimize the attack surface area - Have decoupled infrastructure.
○ Avoid running multiple services in a single server. Application and DB server in different instance
● Know what is normal and Abnormal
○ Define key metrics to understand the behaviour ( Cloudwatch ). Huge traffic at 2am is something
unusual.
● Create a plan for Attacks
○ Check IP, Geolocation, Nature of the attack, Can SG or Network ACLs help in this case.

13. VPC Peering
● A VPC peering connection is a networking connection between two VPCs that enables you to route traffic
between them using private IPv4 addresses or IPv6 addresses.
● Instances in either VPC can communicate with each other as if they are within the same network. You can
create a VPC peering connection between your own VPCs, or with a VPC in another AWS account
● No transitive peering
Source : https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html

14. VPC Cleanup
Deleting created Subnets, SG, NACLs, IGW, Route Tables, NIC and VPC Peering
connections.

15. Resources
● https://aws.amazon.com/documentation/vpc/
● Udemy courses
○ Author - Zeal Vora
■ AWS Cloud practitioner
■ AWS-Certified-Security-Specialty

16. Tha