AWS Virtual Private Cloud (VPC) Notes

Purpose

Why/When do we need VPC?

  • Isolating networks

Characteristics

  • Limitted to one AWS Region
  • One default VPC comes with each AWS Region.
  • Span accross all Avalability Zones within the Region.
  • Default CIDR 172.31.0.0/16 (Range 172.31.0.0 - 172.31.255.255 - 65,536 IPs in this range)
  • Availability zone name (ex: us-east-1) does not represent physical location of the servers. Its a logical name per aws account.
  • AvailabilityZoneId (ex: use1-az1) associated with a physical location which is common for all AWS account. This is best to compare if we ever work with two different accounts/partners.

AWS VPC FAQ

  • Is there a way to generate diagram from existing infrastructure?
    • No out of the box solution from AWS.
  • How to look at the AS-IS network map?
    • Go to your VPC and explore the Resource map.
  • What resources are available within a given VPC?
    • Drill through the subnet which is might span across availability zones.
  • How do I debug challenging network issue?
    • Flow logs is available at VPC and Subnet level.

VPC Diagram

Useful AWS commands

aws ec2 describe-vpcs
aws ec2 describe-internet-gateways
aws ec2 describe-subnets

AWS VPC User Guide

VPC and Features

  • Logically isolated virtual network.
  • Limitted to one region
  • Gateways connects your VPC to another network.
  • VPC peering - routes traffic between two VPCs.
  • Transit gateways - central hub.

Route tables

  • One or more can be defined
  • used to direct the network traffic from your VPC
  • subnet implicitly associated with main route table

Designing VPC

  • IAM permissions
  • Define strategy to maintain IaC
  • Define policies to get the team informed about change in network.
  • Choose the size of your VPC - how many IP addresses you will need across your AWS accounts and VPCs.
  • IP Address Manager (IPAM) makes it easier to plan, track and monitor IP addresses of your application.

Internet traffic

  • To receive traffic from internet, VPC must have an internet gateway.
  • Subnet route table must have an entry to route to internet gateway.
  • AWs resournces (instances) have public IP address and associated security group that allow traffic from internet.

Aleternatively, use ELB with with public NAT gateway.

Monitoring

  • VPC flow logs helps to monitor, debug
  • VPC flow log can be stored/published into CloudWatch, S3 and Firehouse.
  • The cost depends on where it is published and how long we keep the log.

Why and Who

Because enabling VPC logs will incur cost, it is recommended to identify the need and proper process in place to ensure the logs are monitored or audited. It is important to let the stakeholders involved. Depends on the stakeholder commitment we should enable right level of logging.

Cyber Security - SOC - Security Operation Center needs

  • Security team often needs network logs to analyze the trafic, identify unusual activity, protect the infrastructure.
  • Many SIEM tools available that are designed to work with VPC flow logs.
  • Cyber Security team should request to enable the log based on the level of security needs.
  • May ask to keep the logs for long time - prefer cold storage after live analysis.

Network Engineer

  • Diagnose performance or network issues.
  • May ask on the need basis.
  • May not required to keep the log for long time.
  • Limit the log collection to specific service / subnet to make the work productive, cost effective.

Complaince and Certification

  • If your organization has compliance team, they may ask for recording the VPC logs based on the level.
  • If your organization seeking for any certification to meet customer demands, it may need VPC flow logs monitored.
  • Example: Payment Card Industry (PCI) Compliance woud require VPC flow logs to be enabled.

Auditor

  • It is good to start with auditor to engage commitment to audit the logs.
  • Both cyber and complaince team should have regular auditing process.

Common Understanding and Excuses for not enabling VPC flow logs

  • We use GuardDuty.
  • We use CloudTrail
  • We use WAF, Load Balancer and application log.
  • Log collections expensive.
  • We dont have people and tools to consume the logs to get value.
  • No auditors asked for details which is only found in VPC flow logs.
  • No business decision taken by understanding the value or risk.

Questions

  • How do we plan IP addressing when HA is a major concern?
  • 750 hours of Public IPv4 usage is free. How do we monitor its usage?
  • For production environment, are you deploying AWS resources evenly in more than one Avalability Zone?
  • For a development or test environment, Are you saving by using one Availability Zone?
  • How do you maintain network security settings in compliance with best practices and cyber sec team’s requirement all the time?
  • What is the Amazon VPC quotas?

Resources

  • https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html
  • https://mxtoolbox.com/subnetcalculator.aspx
  • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html
  • https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html
  • https://docs.aws.amazon.com/vpc/latest/ipam/
  • https://www.netskope.com/blog/a-real-world-look-at-aws-best-practices-logging
  • https://www.devopsschool.com/blog/what-is-cloudtrail-and-use-cases-of-cloudtrail/