Open in app

Search Medium

Member-only story

AWS — VPC Security Architecture Best

Practices using AWS Network and Application
Protection Services
Ashish Patel · Follow
Published in Awesome Cloud
6 min read · Mar 25

Listen Share More

Beginner’s Guide to Defense in Depth in AWS — Security Application in Amazon VPC in

AWS.

Awesome Cloud — VPC Security Architecture Best Practices

TL;DR:
VPC is a critical component of the AWS cloud infrastructure, offering a scalable and
secure environment for deploying applications and services. AWS network and
application protection services give you fine-grained protections at the host-, network-,
and application-level boundaries, and provide equally flexible solutions that inspect
and filter traffic to prevent unauthorized resource access.

AWS Virtual Private Cloud (VPC)

VPC enables you to launch AWS resources such as EC2, RDS, ELB, etc. into a virtual
network that you’ve defined. This virtual network closely resembles a traditional
network that you’d operate in your own data center, with the benefits of using the
scalable infrastructure of AWS.

Security Groups
Security group controls the traffic that is allowed to reach and leave the resources that it
is associated with. SGs act as virtual firewalls for individual instances, controlling
inbound and outbound traffic. Use security groups to control traffic to/from EC2/RDS,
instances in your subnets.

Network Access Control List (NACL)

Network ACL allows or denies specific inbound or outbound traffic at the subnet level.
NACL acts as a firewall for subnets, controlling traffic flow in and out based on a set of
rules. Use NACLs as an additional layer of security to your VPC.

Use NACLs to define broad traffic rules that you want to apply to every instance within a
subnet, and then fine-tune the internet accessibility of specific instances by applying security
groups.
Difference between Security Groups and Network Access Control List (NACL)

VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic
going to and from network interfaces in your VPC. Use Flow Logs to monitor the IP
traffic going to and from a VPC, subnet, or network interface. Flow log data can be
published to CloudWatch Logs or S3.

Flow log data is collected outside of the path of your network traffic, and therefore
does not affect network throughput or latency.

Flow logs can help you with:

 Verify success or failure of the data flow.

Verify protocols and ports used to send the data.

Diagnosing overly restrictive security group rules.

Monitoring the traffic that is reaching your instance.

Determining the direction of the traffic to and from the network interfaces.

VPC Flow Logs Overview

Network Access Analyzer

Network Access Analyzer is a feature that identifies unintended network access to your
resources in AWS VPC. Use Network Access Analyzer to specify your network access
requirements and to identify potential network paths that do not meet your specified
requirements.

Network Access Analyzer can help you verify:

Understand, verify, and improve your network security posture

Demonstrate compliance

Network segmentation

Internet accessibility

Trusted network paths

Trusted network access

Traffic Mirroring
Traffic Mirroring is a VPC feature that you can use to copy network traffic from an
elastic network interface of type interface. Use Traffic Mirroring to copy network
traffic from an elastic network interface of an EC2 instance, then send the traffic to
out-of-band security and monitoring appliances for:

Content inspection
 Threat monitoring

Troubleshooting

The security and monitoring appliances can be deployed as individual instances or as a

fleet of instances behind either a Network Load Balancer with a UDP listener or a
Gateway Load Balancer with a UDP listener.

Traffic Mirroring supports filters and packet truncation, so that you only extract the
traffic of interest to monitor by using monitoring tools of your choice.

AWS PrivateLink
AWS PrivateLink establishes private connectivity between VPC and supported AWS
services, services hosted by other AWS accounts, and supported AWS Marketplace
services. You do not need to use an internet gateway, NAT device, Direct Connect
connection, or AWS Site-to-Site VPN connection to communicate with the service.

To use AWS PrivateLink, create a VPC endpoint in your VPC, specifying the name of
the service and a subnet. This creates an elastic network interface in the subnet that
serves as an entry point for traffic destined to the service.

You can create your own VPC endpoint service, powered by AWS PrivateLink and
enable other AWS customers to access your service.

VPC Endpoints Overview

AWS Network Firewall

AWS Network Firewall is stateful, managed, network firewall and intrusion detection
and prevention service for your VPC. You can filter network traffic at the perimeter of
your VPC using Network Firewall. Use Network Firewall to protect the subnets in your
VPC from common network threats.
At the network-level, Network Firewall allows you to tightly control traffic to, from,
and between your VPCs with capabilities such as stateful inspection, intrusion
prevention, and web filtering.

Network Firewall can help you monitor and protect your VPC traffic in a number of
ways, including the following:

Perform deep packet inspection on traffic entering or leaving your VPC (including
Internet gateway, NAT gateway, or over VPN or AWS Direct Connect).

Use custom lists of known bad domains to limit the types of domain names that
your applications can access.

Use stateful protocol detection to filter protocols like HTTPS, independent of the
port used.

Pass traffic through only from known AWS service domains or IP address
endpoints, such as Amazon S3.

AWS Firewall Manager

AWS Firewall Manager is a security management service that allows you to centrally
configure and manage firewall rules across your accounts and applications in AWS
Organizations.

Network Firewall is supported by AWS Firewall Manager. Use Firewall Manager to

centrally configure and manage your firewalls across your accounts and applications
in AWS Organizations. You can manage firewalls for multiple accounts using a single
account in Firewall Manager. AWS Firewall Manager also supports DNS Firewall.

AWS Web Application Firewall (WAF)

AWS WAF is a managed web application firewall service that helps you protect your
web applications at the application layer from common web exploits that could affect
application availability, compromise security, and/or consume excessive resources.

Use WAF to filter any part of the web request, such as IP addresses, HTTP headers,
HTTP body, or URI strings to block common attack patterns, such as SQL injection or
cross-site scripting.

WAF (Web Application Firewall) Overview

AWS Shield
AWS Shield is a managed DDoS protection service that safeguards applications running
on AWS. It provides dynamic detection and automatic inline mitigations that minimize
application downtime and latency.

Use AWS Shield to protect applications and APIs from SYN floods, UDP floods, or other
reflection attacks. It helps you maximize application availability and responsiveness.

There are two tiers of AWS Shield: Standard and Advanced. AWS Shield Advanced is a
tailored protection program that identifies threats using exabyte-scale detection to
aggregate data across AWS.

Amazon Route 53 Resolver DNS Firewall

Route 53 Resolver DNS Firewall provides protection for outbound DNS requests from
your VPCs. Primary use of DNS Firewall protections is to help prevent DNS exfiltration
of your data.

With DNS Firewall, you can filter, regulate, and control outbound DNS traffic for your
VPCs. You can monitor and control the domains that your applications can query. You
can specify lists of domain names to allow or block, and you can customize the
responses for the DNS queries that you block. i.e. You can deny access to the domains
that you know to be bad and allow all other queries to pass through. Alternatively, you
can deny access to all domains except for the ones that you explicitly trust.
Summary
Amazon VPC is a powerful service that provides a secure and scalable environment for
deploying applications in the cloud. You can minimize the risk of security breaches
and protect your critical resources using VPC security features and other security
services.

View more from Awesome Cloud

Difference between SQS and SNS

Difference between Application load balancer and Network load balancer

Difference between Security Groups and NACL

Difference between Amazon Aurora and Amazon RDS

Difference between Internet Gateway and NAT Gateway

Difference between Secrets Manager and Parameter Store

Happy Clouding!!!

AWS Vpc Aws Security Aws Architecture Aws Best Practices

 Follow

Written by Ashish Patel

8.1K Followers · Editor for Awesome Cloud

Cloud Architect • 3x AWS Certified • 6x Azure Certified • 1x Kubernetes Certified • MCP • .NET • Terraform • GCP
• OCI • DevOps •(https://bit.ly/iamashishpatel)

More from Ashish Patel and Awesome Cloud

 Ashish Patel in Awesome Cloud

AWS — Difference between Amazon Aurora and Amazon RDS

Comparison: Amazon Aurora vs Amazon RDS.

· 7 min read · Feb 6, 2022

744 1
 Ashish Patel in Awesome Cloud

AWS — Difference between Application load balancer (ALB) and Network

load balancer (NLB)
ALB vs NLB in AWS — Application load balancer vs Network load balancer

· 5 min read · Feb 25

1.6K 12

Ashish Patel in Awesome Cloud

AWS — Difference between SQS and SNS

SQS vs SNS in AWS

· 3 min read · Jan 7

1.6K 8
 Ashish Patel in Awesome Cloud

AWS — Difference between Internet gateway and NAT gateway

Internet gateway vs NAT gateway in AWS

· 2 min read · May 25, 2019

993 12

See all from Ashish Patel

See all from Awesome Cloud

Recommended from Medium

 Ashish Patel in Awesome Cloud

AWS — Difference between VPC Peering and Transit Gateway

Comparisons: AWS VPC Peering vs AWS Transit Gateway in AWS

· 4 min read · Jan 7

67 1
 Love Sharma in Dev Genius

System Design Blueprint: The Ultimate Guide

Developing a robust, scalable, and efficient system can be daunting. However, understanding the
key concepts and components can make the…

· 9 min read · Apr 20

1.2K 12

Lists

Staff Picks
323 stories · 81 saves

Stories to Help You Level-Up at Work

19 stories · 46 saves

Self-Improvement 101
20 stories · 92 saves

Productivity 101
20 stories · 95 saves
 Chee Siong Chan

My tips for achieving all the 12 AWS certifications efficiently

I was formerly one of the #AWS and #GoogleCloud coaches for the #Accenture’s Global Cloud
Certification camp. Accenture has a program that…

10 min read · Dec 9, 2022

507 7
 Augustine Tetteh Ozor

MIGRATION FROM ON PREM TO THE CLOUD IN AWS: Concepts to

understand and Steps to follow.
PRE-REQUISITES

17 min read · May 4

70 2
 Thilina Ashen Gamage in Platform Engineer

Saving Big on AWS: Best Practices for Cost Optimization and Efficiency
A checklist for Cloud Solution Architects to live by

· 7 min read · Mar 16

77 1
 Neal Davis

VPC Interface Endpoint vs Gateway Endpoint in AWS

VPC endpoint is a powerful feature of AWS that allows you to establish a private connection
between your VPC and other supported AWS…

7 min read · Feb 27

27 2

See more recommendations