Sichere Netzwerke in der Cloud Best Practices Justin Bradley, Solutions Architect 30. Juni 2016 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from the session What is Amazon VPC VPC Toolkit Building your VPC Public vs Private Connectivity to your Data center Protecting your VPC Resources Moving Beyond a Single VPC Configuring logging and monitoring
AWS Global Infrastructure 12 Regions 33 Availability Zones 54 Edge Locations Region Edge Location
What is Amazon VPC
What is Amazon VPC? A private, isolated section of the AWS cloud A virtual network topology you can deploy and customize You have complete control of your networking Proven and well-understood networking concepts
Most simply put, it is a virtual data center you can build out and control on AWS!
VPC Toolbox
VPC components Amazon VPC customer gateway endpoints flow logs Route table Elastic IP Internet gateway router VPC NAT gateway AWS Direct Connect Subnet Elastic network interface VPN connection VPN gateway VPC peering
Building your VPC
VPCs span an entire region VPC CIDR: 10.1.0.0 /16 Availability Zone A Availability Zone B
Subnets sit in a single Availability Zone VPC CIDR: 10.1.0.0 /16 Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B
Plan your VPC IP space before creating it Consider future AWS region expansion Consider future connectivity to your internal networks Consider subnet design VPC can be /16 down to /28 CIDR cannot be modified after creation Overlapping IP spaces = future headache
Add an Internet Gateway VPC CIDR: 10.1.0.0 /16 Web (public) Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B
Add an Internet Gateway VPC CIDR: 10.1.0.0 /16 Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Internet Gateway Web (public) Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Availability Zone A Availability Zone B
Add private subnets VPC CIDR: 10.1.0.0 /16 PUBLIC PUBLIC Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) PRIVATE PRIVATE Subnet (10.1.3.0/24) Subnet (10.1.4.0/24) Availability Zone A Availability Zone B
Add private subnets VPC CIDR: 10.1.0.0 /16 Subnet (10.1.1.0/24) Web (public) Subnet (10.1.2.0/24) Web (public) Subnet (10.1.3.0/24) Database (private) Subnet (10.1.4.0/24) Database (private) Availability Zone A Availability Zone B
Add private subnets VPC CIDR: 10.1.0.0 /16 Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Web Subnet (10.1.1.0/24) (public) Internet Gateway Subnet (10.1.2.0/24) Web (public) Destination Route Table Target 10.1.0.0/16 Local Database Subnet (10.1.3.0/24) (private) Subnet (10.1.4.0/24) Database (private) Availability Zone A Availability Zone B
NAT Gateway VPC NAT gateway VPC CIDR: 10.1.0.0 /16 Subnet (10.1.1.0/24) Web (public) Subnet (10.1.2.0/24) Web (public) Subnet (10.1.3.0/24) Database (private) Subnet (10.1.4.0/24) Database (private) Availability Zone A Availability Zone B
NAT Gateway VPC CIDR: 10.1.0.0 /16 Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Web Internet Gateway Subnet (10.1.1.0/24) (public) Subnet (10.1.2.0/24) Web (public) Route Table Destination Target 10.1.0.0/16 Local Database Subnet (10.1.3.0/24) 0.0.0.0/0 NAT Gateway (private) (ENI) Availability Zone A Subnet (10.1.4.0/24) Database (private) Availability Zone B
Connect to your data center Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) 192.168.0.0/16 Subnet (10.1.3.0/24) Availability Zone A Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16
Connect to your data center Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) 192.168.0.0/16 Subnet (10.1.3.0/24) Availability Zone A Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16 or
Connect to your data center Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Internal Server 192.168.0.0/16 Subnet (10.1.3.0/24) Availability Zone A Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16 or
Connect to your data center Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Internal Server 192.168.0.0/16 Subnet (10.1.3.0/24) Availability Zone A Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16 or
Connect to your data center Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/16 IGW Subnet (10.1.1.0/24) Subnet (10.1.2.0/24) Internal Server 192.168.0.0/16 Route Table Destination Target 10.1.0.0/16 Local 192.168.0.0/16 VPG Subnet (10.1.3.0/24) 0.0.0.0/0 NAT Gateway Availability Zone A or Subnet (10.1.4.0/24) Availability Zone B 10.1.0.0/16
Protecting your VPC resources
Protecting your VPC resources Network Linking Auditing VPN connection AWS Direct Connect VPC peering Endpoint Routing flow logs CloudTrail route table Public / Elastic IP Internet gateway endpoints
Protecting your VPC resources Network Linking Security Group Ingress/Egress Rules VPN connection AWS Direct Connect VPC peering Fleet 1 SG Fleet 2 SG Subnet (10.1.1.0/24) Endpoint Routing Network Access Control Lists App 1 SG App 2 SG route table Public / Elastic IP Internet gateway Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
Virtual Private Cloud Security Layers Availability Zone A Availability Zone B Lockdown at instance level Security Group Security Group Security Group Isolate network functions Subnet 10.0.0.0/24 Subnet 10.0.1.0/24 Lockdown at network level Network ACL Router Network ACL Route restrictively Routing Table Routing Table Virtual Private Gateway Internet Gateway
VPC Security Groups VPC (BuildABeer-VPC-1) HTTP GET Beer TCP(6) Port(80) NTP Buffer Overrun UDP(17) Port(123) security group (BuildABeer-SG-1)
Network ACL VPC (BuildABeer-VPC-1) HTTP GET Beer TCP(6) Port(80) HTTP GET Beer TCP(6) Port(80) srcip=216.246.16.228 security group (BuildABeer-SG-1)
Obfuscate - CloudFront VPC (BuildABeer-VPC-1) CloudFront Users Amazon Route 53
Hide n go seek ~>nslookup www.buildabeer.com Server: 10.43.23.72 Address: 10.43.23.72#53 Non-authoritative answer: www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net. Name: d3u9qbug2y23to.cloudfront.net Address: 52.84.20.173 <snip> Name: d3u9qbug2y23to.cloudfront.net Address: 52.84.20.85
Moving Beyond a Single VPC
Why have more than one? Application isolation Scope of audit containment (separate AWS Accounts) Risk level separation Separate production from non-production Multi-tenant isolation Business unit alignment
Growing your VPCs VPC A Web App VPC A Internal App VPC B Internal App VPC C Internal App VPC D Internal App VPC (N) Internal App HA Pair of VPN Endpoints
Connecting your VPCs (VPC Peering) Now, with VPC Peering, you can connect VPCs together within a Region without having to maintain all the VPN overhead. Peering creates a private network connection between any two VPCs in a region Including cross-account VPC Peering
Common Design Shared Services VPC Move shared services such as Active Directory, Logging and Monitoring to a shared services VPC VPC B 10.2.0.0/16 VPC C 10.3.0.0/16 VPC D 10.4.0.0/16 None of the other VPCs can send traffic directly to each other through VPC A (= app isolation) pcx-aaaabbbb pcx-aaaacccc VPC A 10.1.0.0/16 pcx-aaaadddd Only VPC A has direct network access to your data center via a VPN Security Groups and NACLs still apply 10.0.0.0/16
Common Design Shared Services VPC Route Table Route Tables Destination Target VPC A's route table 10.1.0.0/16 Local 10.2.0.0/16 pcx-aaaabbbb VPC B 10.2.0.0/16 VPC C 10.3.0.0/16 VPC D 10.4.0.0/16 10.3.0.0/16 pcx-aaaacccc 10.4.0.0/16 pcx-aaaadddd pcx-aaaacccc 10.0.0.0/16 VPG1 VPC B's route table 10.2.0.0/16 Local 10.1.0.0/16 pcx-aaaabbbb VPC C's route table 10.3.0.0/16 Local pcx-aaaabbbb VPC A 10.1.0.0/16 pcx-aaaadddd 10.1.0.0/16 pcx-aaaacccc VPC D's route table 10.4.0.0/16 Local 10.1.0.0/16 pcx-aaaadddd 10.0.0.0/16
Simplify with AWS Direct Connect VPC B 10.2.0.0/16 VPC C 10.3.0.0/16 VPC D 10.4.0.0/16 VPC B 10.6.0.0/16 VPC C 10.7.0.0/16 VPC D 10.8.0.0/16 VPC B 10.10.0.0/16 VPC C 10.11.0.0/16 VPC D 10.12.0.0/16 pcx-aaaacccc pcx-aaaacccc pcx-aaaacccc pcx-aaaabbbb VPC A 10.1.0.0/16 pcx-aaaadddd pcx-aaaabbbb VPC A 10.5.0.0/16 pcx-aaaadddd pcx-aaaabbbb VPC A 10.9.0.0/16 pcx-aaaadddd AWS Direct Connect location Customer data center
Configuring logging and monitoring
Services AWS CloudTrail VPC Flow Logs
AWS CloudTrail
Introduction to AWS CloudTrail Amazon S3 bucket Store/ archive Amazon Elastic Block Store (Amazon EBS) Troubleshoot You are making API calls... On a growing set of AWS services around the world.. CloudTrail is continuously recording API calls Monitor and alarm
Use cases enabled by CloudTrail IT and security administrators can perform security analysis IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change DevOps engineers can troubleshoot operational issues IT auditors can use log files as a compliance aid See: Security at Scale: Logging in AWS White Paper
VPC Flow Logs
Dumping out the heavy hitter IP addresses #!/usr/bin/python3 import boto3 # Get the service resource logs = boto3.client( logs ) # Get the log groups groups = logs.describe_log_groups() for loggroup in groups[ loggroups ] : # Get the LogStream for each loggroup logstreamsdesc = logs.describe_log_streams(loggroupname=loggroup[ loggroupname ]) for logstream in logstreamsdesc[ logstreams ]: events_resp = logs.get_log_events(loggroupname=loggroup[ loggroupname ], logstreamname=logstream[ logstreamname ]) # Store each log entry by the src IP address ip_dict = {} for event in events_resp[ events ] : ip = event[cd message ].split()[4] if ip in ip_dict: ip_dict[ip] = ip_dict[ip] + 1 else : ip_dict[ip] = 1 for w in sorted(ip_dict, key=ip_dict.get, reverse=true): print ( {0:15} {1:8d}.format(w, ip_dict[w])) #Early exit exit()
Partners
Justin Bradley