Network Security on AWS Network Security on AWS VPC ▷ Virtual network ○ Subnets ○ Route tables ○ NACLs ▷ Network isolation ▷ Private address ranges ○ 10.0.0.0/8 ○ 172.16.0.0/12 ○ 192.168.0.0/16 ▷ Peering ○ VPC to VPC ○ VPN ○ Direct Connect VPC 10.0.0.0/16 Subnet 1 10.0.0.0/24 Subnet 2 10.0.1.0/24 Routing & NACLs Routing Subnets are routed Within a VPC, all subnets are routed, and you can’t change that! NACLs NACLs are Stateless You have to open the high ports (1024-65535). VPC 10.0.0.0/16 Public Subnet 2 10.0.1.0/24 Public Subnet 1 10.0.0.0/24 Typical (minimal) VPC Private Subnet 1 10.0.2.0/24 Private Subnet 2 10.0.3.0/24 VPC Subnet Security Groups & ENIs Security Group References SSH Bastion Host Load Balancer Backend Security Groups are Stateful The response traffic is always allowed. Both inbound and outbound. VPC Flow Logs Records network traffic in ~5 minutes chunks Not enabled by default Record Schema version account-id interface-id srcaddr dstaddr srcport dstport IANA protocol number (6 := TCP) packets bytes start in Unix seconds end in Unix seconds action status VPC 10.0.0.0/16 Public Subnet B 10.0.32.0/20 Public Subnet A 10.0.0.0/20 Example Private Subnet A 10.0.16.0/20 Private Subnet B 10.0.48.0/20 VPC 10.100.0.0/16 Public Subnet A 10.100.0.0/20 Private Subnet A 10.100.16.0/20 https://github.com/widdix/learn-network-security Thanks!