Networking plays a crucial role in the AWS ecosystem, especially for security. The foundation of AWS networking is the Virtual Private Cloud (VPC), serving as a private container for services and workloads. It keeps them isolated from the public internet unless connected to an Internet or NAT gateway. Moreover, virtually all other networking components in AWS are incorporated within and necessitate a VPC.
Amazon Virtual Private Cloud (VPC)
AWS service creates a virtual network in the cloud, similar to traditional networks in data centers. It offers complete control over IP address ranges, subnets, route tables, and network gateways, ensuring secure and scalable hosting with options for isolation and on-premises network connection.
Essentially, VPC provides a customizable and isolated environment within the AWS infrastructure.
AWS account always comes with one default VPC but you can create many VPC and even connect them with VPC peering, AWS Transit Gateway, AWS Direct Connect or VPN connections.
Subnets
A VPC subnet in AWS is a segmented block of IP addresses within a Virtual Private Cloud (VPC), used to allocate network space and organize resources like EC2 instances, AWS Lambda, RDS and others. Subnets can be either public (with internet access) or private (without direct internet access).
They are associated with specific Availability Zones for resilience and are governed by rules set in route tables, network access control lists (NACLs), and security groups (SG) to control inbound and outbound traffic, ensuring security and efficient network management.
Route tables
Route tables in AWS are sets of rules, known as routes, that determine how network traffic is directed within a Virtual Private Cloud (VPC). Each subnet in a VPC is associated with a route table, which guides the flow of traffic from the subnet to other subnets, the internet, or other destinations.
These tables enable precise control over the routing of network traffic, ensuring that it reaches its intended destination efficiently and securely within the AWS environment.
Network access control lists (NACLs)
Network Access Control Lists (NACLs) in AWS are an additional layer of security for your Virtual Private Cloud (VPC) that act as a firewall for controlling traffic in and out of one or more subnets.
They are stateless, meaning rules for allowing traffic are applied separately for both inbound and outbound directions. NACLs can be configured with rules to allow or deny traffic based on IP protocol, source IP, destination IP, and ports, providing a mechanism to control the flow of traffic into and out of the subnets within a VPC.
Security Groups
Security Groups in AWS are virtual firewalls for many AWS servicves (like EC2, RDS, Lambda) in a Virtual Private Cloud (VPC), controlling inbound and outbound traffic at the instance level.
They are stateful, meaning if a request is allowed in, the response is automatically allowed out, regardless of outbound rules. Security Groups can be configured with rules specifying allowed protocols, ports, and source/destination IP addresses, ensuring that only the desired traffic can access or leave your instances, thus enhancing the security of your AWS environment.
Internet Gateways
An Internet Gateway enables services within a subnet access the internet. Also allows the implementation of NAT (Network Address Translation) for private subents. Can provides EC2 instances within a VPC to have public IP addresses.
NAT Gateways
NAT Gateways in AWS provide a method for instances in a private subnet of a Virtual Private Cloud (VPC) to securely access the internet for updates or downloads without exposing services in private subnet to incoming internet traffic. They act as a network traffic proxy, allowing outbound internet communication and sending the response back to the services, but do not allow unsolicited inbound traffic.
NAT Gateways are managed services, meaning they are maintained and scaled by AWS, offering high availability and reliability for translating private IP addresses to a public IP address for internet access.
Egress-only internet gateways
Egress-only Internet Gateways in AWS are a type of gateway used specifically with IPv6 traffic in a Virtual Private Cloud (VPC). They allow instances in a VPC to initiate outbound IPv6 traffic to the internet, while preventing inbound traffic from the internet. This is particularly useful for private subnets, where instances need to access the internet for updates or data retrieval but do not require inbound internet connectivity.
Transit Gateways
AWS Transit Gateway serves as a network transit hub in AWS, allowing you to connect multiple Virtual Private Clouds (VPCs), AWS accounts, and on-premises networks.
It simplifies the network management by providing a single gateway through which all inter-network traffic can be routed, reducing complexity and improving scalability.
Elastic IPs
Elastic IPs in AWS are static, public IPv4 addresses designed for dynamic cloud computing. They allow you to allocate an IP address and assign it to an instance or a network interface in a Virtual Private Cloud (VPC).
Elastic IPs are useful for managing the IP addressing of resources, providing a persistent public IP address for instances that may be stopped and restarted, or reassigning the address to other instances quickly. This is particularly beneficial for applications that require a static IP for things like DNS, email servers, or as a reliable way to reach services hosted on AWS.
Route 53
AWS Domain Name System (DNS) service. It effectively connects user requests to infrastructure running in AWS, such as EC2 instances, Elastic Load Balancing load balancers, or S3 buckets, and can also be used to route users to external infrastructure.
Route 53 offers domain name registration, DNS routing, and health checking services, making it a versatile solution for managing domain names and directing traffic to the appropriate endpoints, both inside and outside of AWS.
AWS Direct Connect
AWS Direct Connect is a cloud service from Amazon Web Services (AWS) that allows businesses to establish a dedicated network connection between their premises and AWS's data centers.
This service provides a more consistent network experience than internet-based connections, offering lower latency and higher bandwidth options. It's particularly useful for transferring large volumes of data, real-time data feeds, and critical business applications that require a stable, high-speed connection to the AWS cloud.
However, it can be quite expensive since it requires physically establishing a direct connection to AWS infrastructure.
References
SEC05-BP02 Control traffic at all layers - Security Pillar
SEC05-BP02 Control traffic at all layers - AWS Well-Architected Framework
What is Amazon VPC? - Amazon Virtual Private Cloud
What is VPC peering? - Amazon Virtual Private Cloud
How do I create, delete, or restore a default VPC in Amazon VPC?
What is AWS Direct Connect? - AWS Direct Connect
AWS Direct Connect | FAQ | Amazon Web Services (AWS)
AWS Direct Connect Documentation
Security groups - Amazon Virtual Private Cloud
What is Amazon Route 53? - Amazon Route 53
What is Amazon Route 53 on Outposts? - Amazon Route 53
Amazon Route 53 FAQs - Amazon Web Services
Control traffic to subnets using network ACLs - Amazon Virtual Private Cloud
Security groups - Amazon Virtual Private Cloud
Connect to the internet using an internet gateway - Amazon Virtual Private Cloud
What are Elastic IP addresses, and how do I use them?
Elastic IP addresses - Amazon Elastic Compute Cloud
NAT gateways - Amazon Virtual Private Cloud
How do I set up a NAT gateway for a private subnet in Amazon VPC?