Tutorial / Cram Notes
AWS network architecture is a critical component of cloud infrastructure, ensuring that applications and services are secure, scalable, and compliant with regulatory requirements. In this context, an exemplary AWS network architecture to meet stringent security and compliance needs might encompass a layered approach, including strategies like setting up an untrusted network, perimeter VPC (Virtual Private Cloud), and a three-tier architecture. Below we discuss how to implement each of these elements within an AWS environment.
Untrusted Network Design
An ‘untrusted’ or ‘public’ network refers to the parts of your architecture exposed directly to the internet. It is considered untrusted because you must assume that all traffic in this network is potentially malicious. To protect your AWS assets, you typically set up security groups, network ACLs (Access Control Lists), and other AWS services such as AWS WAF (Web Application Firewall).
Example: Security Groups for an EC2 Instance
Assuming that an EC2 instance is running a public web application, you would configure a security group that allows HTTP (port 80) and HTTPS (port 443) traffic from anywhere (0.0.0.0/0), but restricts all other inbound traffic.
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| HTTP | TCP | 80 | 0.0.0.0/0 |
| HTTPS | TCP | 443 | 0.0.0.0/0 |
Perimeter VPC – The DMZ of AWS
Creating a perimeter VPC, often compared to a DMZ (Demilitarized Zone) in traditional networking, provides a controlled buffer zone between the public internet and your AWS environment. By deploying your public-facing assets in a perimeter VPC, you add an additional layer of security.
The perimeter VPC would host services such as NAT Gateways, public-facing load balancers, and perimeter security appliances such as firewalls or IDS/IPS solutions.
Three-Tier Architecture
A three-tier architecture separates responsibilities across three distinct layers or tiers: the web layer, the application layer, and the data layer. This separation enhances security and scalability.
Web Layer
The web layer typically resides within the perimeter VPC and is designed to serve static content and manage traffic. Amazon EC2 instances or Amazon ECS containers running Nginx or Apache servers can be used in this layer.
Application Layer
The application layer hosts business logic. It is typically placed in an internal VPC, isolated from the public internet. It processes requests from the web tier and performs operations before querying the database (data tier). AWS services such as ELB (Elastic Load Balancing) can be used to manage traffic between the web and application layers.
Data Layer
The data tier includes the databases and storage services. AWS RDS (Relational Database Service) and DynamoDB are commonly used database services. This tier is again placed in an isolated subnet, with strict access rules allowing only the application tier to interact with it.
Example: Security Group for Application Layer
Assuming the application layer is running on EC2 instances, the security group would only allow communication from the web layer:
| Type | Protocol | Port Range | Source | Description |
|---|---|---|---|---|
| Custom TCP | TCP | 8080 | sg-xxxxxxxx (Web SG) | Allow from Web Tier |
VPC Peering and Network ACLs
For communication between VPCs, VPC Peering allows routing of traffic using private IP addresses. Network ACLs are then utilized to control the flow of traffic between different subnets within a VPC, providing an additional layer of security.
Compliance Standards
While designing your network architecture, it’s important to adhere to compliance standards like HIPAA for healthcare, PCI DSS for payment processing, or GDPR for data protection in the EU. AWS provides services and features that can help ensure compliance, including:
- AWS Artifact for access to compliance reports.
- Amazon Macie to help discover and protect sensitive data.
- AWS Shield for DDoS protection.
- AWS Key Management Service (KMS) for encryption management.
Conclusion
The AWS network architecture that combines an untrusted network, perimeter VPC, and a three-tier architecture creates a robust and secure environment capable of meeting demanding security and compliance requirements. By strategically segregating services, employing AWS’s network security services, and aligning with compliance standards, you lay down a strong foundation for a secure and resilient cloud infrastructure.
Practice Test with Explanation
True/False: It is recommended to place instances that do not require internet access in public subnets.
- False
Instances that do not require internet access should be placed in private subnets to enhance security.
True/False: Network Access Control Lists (NACLs) are stateful, just like security groups.
- False
NACLs are stateless, meaning they do not keep track of ongoing traffic flow. Each packet is evaluated independently.
In a three-tier architecture on AWS, which services can be used to isolate a database layer? (Select TWO)
- A. AWS WAF
- B. Security Groups
- C. Network ACLs
- D. AWS Direct Connect
Correct Answer: B, C
Security Groups and NACLs can be used to define fine-grained access controls at the instance level and the subnet level, respectively, to isolate a database layer.
True/False: A perimeter VPC (also known as a DMZ) should have direct connectivity to an organization’s on-premises data center.
- False
A perimeter VPC acts as a buffer zone between untrusted networks and the core network. Direct connectivity could expose the core network to vulnerabilities.
Which of the following is NOT a benefit of using a three-tier architecture in AWS?
- A. Improved Scalability
- B. Increased Attack Surface
- C. Layered Security
- D. Better Fault Isolation
Correct Answer: B
A three-tier architecture does not increase the attack surface; rather, it aims to reduce it by separating and controlling access between layers.
True/False: When implementing a VPC in AWS, it is a good security practice to have only one subnet associated with an internet gateway.
- False
It’s a common security practice to have a dedicated public subnet for instances that require direct internet access, but multiple subnets can be associated with an internet gateway as needed.
The AWS service that allows you to establish a dedicated network connection from your premises to AWS is:
- A. AWS Transit Gateway
- B. AWS VPN
- C. AWS Direct Connect
- D. Amazon Route 53
Correct Answer: C
AWS Direct Connect provides a dedicated network connection from on-premises to AWS, which can be beneficial for security and compliance.
True/False: AWS Shield provides DDoS protection and is automatically enabled to protect all resources in your AWS account.
- True
AWS Shield provides basic DDoS protection for all AWS customers at no additional cost and is automatically activated to protect AWS resources.
When designing a network architecture for security and compliance, what is the main purpose of a dedicated management VPC?
- A. To optimize costs
- B. To manage application traffic
- C. To centralize administrative tasks
- D. To enhance the performance of the network
Correct Answer: C
A dedicated management VPC is used to centralize administrative tasks like logging and monitoring, thereby segregating them from application traffic for increased security.
True/False: AWS Network Firewall can be used to filter traffic at both the perimeter and subnet levels within an AWS network.
- True
AWS Network Firewall is a managed service that provides network protections at the VPC level and can be deployed at the perimeter and subnet levels to filter traffic based on rules.
Multiple select: Which features support enhancing security and compliance in an AWS network architecture? (Select TWO)
- A. Internet Gateway
- B. VPC Peering
- C. Customer Managed Policies
- D. AWS PrivateLink
Correct Answer: C, D
Customer Managed Policies enable fine-grained access control for AWS services, and AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications.
In a VPC, what is the function of a subnet?
- A. To direct internet traffic to the internet gateway
- B. To provide a layer of security for EC2 instances
- C. To partition the VPC network into smaller, manageable sections
- D. To connect VPCs with on-premises networks
Correct Answer: C
A subnet is used to partition the VPC network into smaller, manageable sections, which can be public or private, depending on whether they are associated with an internet gateway.
Interview Questions
Can you describe what a perimeter VPC is and its role in securing an AWS environment?
A perimeter VPC, also known as a DMZ, serves as an additional layer of security in a network architecture. It is used to host public-facing services, while the backend systems remain in a separate, private VPC. This setup minimizes the potential attack surface by ensuring that only the necessary resources are exposed to the untrusted network, thus complying with the principle of least privilege.
How would you go about designing a three-tier architecture on AWS to meet compliance requirements?
A three-tier architecture typically comprises a web tier, application tier, and data tier. On AWS, this can be implemented using VPCs with subnetting and security groups to isolate each tier. The web tier would include public subnets with Elastic Load Balancers (ELBs) and web servers. The application tier would reside in private subnets with application servers and might also use ELBs. The data tier, also in private subnets, would contain database servers with restricted access. NACLs and security groups would be set up to strictly control traffic flow according to compliance requirements.
When setting up a VPC for a secure three-tier architecture, how do you ensure traffic is properly segregated between the tiers?
To ensure proper segregation, each tier should be placed in separate subnets, with Network Access Control Lists (NACLs) and security groups configured to control traffic flow. Security groups act as a virtual firewall at the instance level, while NACLs provide a layer of security at the subnet level. Both should be configured to only allow necessary traffic between tiers, based on the principle of least privilege.
How would you implement a network intrusion detection system (IDS) on AWS?
On AWS, an intrusion detection system can be implemented using AWS Network Firewall for real-time traffic filtering, monitoring, and protection against malicious activity. Alternatively, services like Amazon GuardDuty or third-party IDS solutions from the AWS Marketplace can be integrated to monitor and analyze network traffic for suspicious activities and potential threats.
What steps would you take to ensure secure connectivity between on-premises infrastructure and AWS resources?
Secure connectivity can be ensured by establishing a VPN connection or AWS Direct Connect between on-premises infrastructure and AWS resources. These connections should be encrypted and configured with appropriate routing and failover mechanisms. Additionally, implementing strong access controls and monitoring with Network Flow Logs or VPC Flow Logs can help maintain security and compliance.
Can you explain the use of NACLs and security groups in VPCs, and how they contribute to compliance and security?
NACLs (Network Access Control Lists) are stateless access control lists that operate at the subnet level. They provide a rule-based tool for controlling inbound and outbound traffic. Security groups are stateful and operate at the instance level, allowing control over inbound and outbound traffic to an EC2 instance. Together, these mechanisms help enforce network isolation and fine-grained access control, critical for compliance and reducing the risk of unauthorized access.
How does AWS PrivateLink enhance the security of a VPC architecture?
AWS PrivateLink allows the exposure of services across different accounts and VPCs without requiring traffic to traverse the public internet. It reduces the risk of exposure to threats by ensuring that services are only accessible within the AWS network, thus enhancing privacy and security by keeping all network traffic internal to AWS.
For compliance purposes, how do you log and monitor network traffic within your AWS VPC environment?
To log and monitor network traffic for compliance purposes, you can utilize VPC Flow Logs. This feature records all network traffic in and out of your VPC, including the source, destination, and protocol used. These logs can then be published to Amazon CloudWatch Logs or Amazon S3 for analysis and retention. Additionally, integrating AWS CloudTrail and Amazon GuardDuty can offer deeper insights and real-time threat detection.
Explain the concept of a “shared responsibility model” in relation to AWS network security and compliance.
In AWS’s shared responsibility model, AWS is responsible for securing the underlying infrastructure that supports cloud services (the “security of the cloud”), while customers are responsible for securing their data within the cloud (the “security in the cloud”). This means that customers must implement and manage their own security measures, such as network configurations, access controls, and encryption, to meet compliance requirements.
What is AWS WAF, and how does it help in enhancing security in a VPC?
AWS WAF (Web Application Firewall) is a service that helps protect web applications by filtering and monitoring HTTP(S) traffic between the application and the internet. It allows the creation of custom rules to block common web exploit patterns and can be deployed on an Application Load Balancer (ALB), Amazon CloudFront, or Amazon API Gateway, thus enhancing the security within a VPC by protecting against attacks such as SQL injection and cross-site scripting.
Great blog post! The detailed discussion on implementing a perimeter VPC really helped.
Thanks for the insights on the three-tier architecture in AWS!
I have a question about the security group settings in a perimeter VPC. Could anyone clarify the best practices?
The examples given in the blog make it easier to understand the untrusted network concepts.
Can we integrate AWS Network Firewall with a three-tier architecture? Any thoughts?
I found the section on compliance requirements very useful. Thank you!
What are some of the common compliance certifications we need to consider for AWS network architecture?
Appreciate the detailed breakdown on IAM roles and policies in the context of AWS network security.