© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Camil Samaha, AWS Solutions Architecture
October 2015
NET301
NextGen NetworkingNew Capabilities for Amazon Virtual
Private Cloud
What to expect from the session
New capabilities for Amazon VPC
VPC Endpoints
• Generic capability
• First VPCE type available is for Amazon S3
VPC Flow Logs
• Netflow-like data from elastic network interfaces
VPC Endpoints
Problem statement
• AWS “abstracted services”[1] generally have service
endpoints on the public address side of an AWS region
• How best to reach those endpoints from inside your
VPC?
[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7
AZ: Availability Zone
aws ec2 describe-route-tables --route-table-ids rtb-c9d737ad
|+----------------------------------------------------+|||| Routes |||||+-----------------------+------------+-------------+||||| DestinationCidrBlock | GatewayId | State ||||+-----------------------+------------+--------------||||| 10.10.0.0/16 | local | active ||||+-----------------------+------------+-------------+||
Routes: local connectivity
Traffic to the VPC’s range stays
in the VPC
Establish public connectivity
aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
The default VPC is already
configured this way
Routes: Internet connectivity
aws ec2 describe-route-tables --route-table-ids rtb-c9d737ad
|+----------------------------------------------------+|||| Routes |||||+-----------------------+------------+-------------+||||| DestinationCidrBlock | GatewayId | State ||||+-----------------------+------------+--------------||||| 10.10.0.0/16 | local | active ||||| 0.0.0.0/0 | igw-5a1ae13f | active ||+----------------------------------------------------+||
Everything not destined for the
VPC goes to the Internet
Reaching public endpoints
Public IPs and IGWPros
• Highly available
• Horizontally scalable
• Can restrict destination ports/ CIDRs
Cons
• Public IPs; security controls are limited
• Can reach entire service (e.g. all S3 buckets)
NAT/PAT server(s)Pros
• Central control
• All protocols
Cons
• Availability risks
• Scaling hard, limited
• Lots of work to manage
• Security limitations similar to use of IGW
Proxy server(s)
Pros
• Central control
• Can scale fairly well
• Many security options
Cons
• Availability risks
• Lots of work to manage and scale
• Works only with HTTP/S
VPC endpoints to the rescue
• No need for public IP addresses, NAT/PAT, or proxies
• Highly available; no SPOF
• Practically infinite horizontal scalability
• Rich security controls
Amazon S3 without an Internet gateway
Routes: Amazon S3 connectivity
aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a
|+-------------------------------------------------------------------+|||| Routes |||||+-----------------------+-----------------------------------------+||||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||||+-----------------------+-------------------------+----------------||||| 10.10.0.0/16 | | local ||||| | pl-68a54001 | vpce-a610f4cf ||+-------------------------+-------------------------+---------------+||
The Amazon S3 Prefix list
aws ec2 describe-prefix-lists --prefix-list-ids pl-68a54001
--------------------------------------------------| DescribePrefixLists |+------------------------------------------------+|| PrefixLists |||+---------------+------------------------------+||| PrefixListId | PrefixListName |||+---------------+------------------------------+||| pl-68a54001 | com.amazonaws.us-west-2.s3 |||+---------------+------------------------------+|||| Cidrs |||||+--------------------------------------------+||||| 54.231.160.0/19 |||||+--------------------------------------------+||
IP range for Amazon S3
Changes over time and is managed by
AWS
Rich security controls
• New route entry
• As many endpoints per VPC as you like, but maximum one
assigned route per subnet
• New logical destination address for security group
outbound traffic rules
• Thus, instance-level control through security groups
Rich security controls (cont.)
• Policies on VPC endpoints
• Logically, resource policies (i.e., associated with resource rather
than principal)
• Constrain principals, actions, destination buckets, paths within
buckets
• S3 bucket policies
• Constrain source VPCs and/or VPC endpoints
• All policies ANDed together (IAM, VPC endpoints, S3)
VPC endpoint policy example
{ "Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}In English: Calls via this VPC endpoint are
allowed Get/Put to my_secure_bucket
S3 bucket policy example #1
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf” }
}
}
]
}
In English: Deny access to this bucket to all calls
except those coming via this VPC endpoint
S3 bucket policy example #2
{ "Version": "2012-10-17”,
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": { "aws:sourceVpc": "vpc-c15180a4” }
}
}
]
}
In English: Deny access to this bucket to all
calls except those coming from this VPC
Demo 1
Demo 1
NAT
# node runTest.js testData1Starting...Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.1.238/api/full?b=tstbktvpc&g=nat&p=natInitiating test to http://10.20.2.38/api/full?b=tstbktvpc&g=vpce&p=vpceTest running...{"group":"igw","bucket":"tstbktvpc","object":"YMxa6QEKwNYp8OW2","type":"full"}{"group":"nat","bucket":"tstbktvpc","object":"JVWXO38lIlIKOP9V","type":"full"}{"group":"vpce","bucket":"tstbktvpc","object":"ezRl2CPObn4rCTq6","type":"full"}
#
Cluster size of 1
1 x 10 GB file upload; 1 x 10 GB file download
1 node
1 node
1 node
tx
rx
VPCE - 1 node
NAT- 1 node
# node runTest.js testData10Starting...Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.225/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.226/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.215/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.216/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.142/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.143/api/full?b=tstbktvpc&g=igw&p=igw...
Cluster size of 10
10 x 10 GB file upload; 10 x 10 GB file download
tx
rx
1 node
1 node
1 node
10 nodes
10 nodes
10 nodes
VPCE - 1 node
NAT - 1 node NAT - 10 nodes
VPCE - 10 nodes
1 node
10 nodes
1 node
1 node
10 nodes
10 nodes
VPCE - 1 node
NAT - 1 node NAT - 10 nodes
VPCE - 10 nodes
VPC Flow Logs
VPC Flow Logs
• Long-standing ask: greater visibility into VPC network
behavior
• Specifically, what about those security group and network ACL
DENY cases?
• VPC Flow Logs provide the answer
See all of the traffic at your instances
• Visibility into effects of
security group rules
• Troubleshooting
network connectivity
• Ability to analyze traffic
VPC Flow Logs (cont.)
• Enabled at the ENI, subnet, or VPC level
• Traffic data surfaced as “flow log records” per ENI
• Exposed as CloudWatch log groups and streams
• Data accumulated and published to CloudWatch Logs at
~10 minute intervals
• Normal CloudWatch Logs groups/streams with all
related features
• For example, new CloudWatch Logs -> Amazon Kinesis stream
integration
Flow Log record (text, space-delimited)
Field Description
version The VPC Flow Logs version.
account-id The AWS account ID for the Flow Log.
interface-id The ID of the network interface for which the log stream applies.
srcaddr The source IP address. The IP address of the network interface is always its private IP address.
dstaddr The destination IP address. The IP address of the network interface is always its private IP address.
srcport The source port of the traffic.
dstport The destination port of the traffic.
protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers.
packets The number of packets transferred during the capture window.
bytes The number of bytes transferred during the capture window.
start The time, in Unix seconds, of the start of the capture window.
end The time, in Unix seconds, of the end of the capture window.
action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or network ACLs.REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
log-status The logging status of the flow log:OK: Data is logging normally to CloudWatch Logs.NODATA: There was no network traffic to or from the network interface during the capture window.SKIPDATA: Some flow log records were skipped during the capture window.
Example records
Inbound SSH traffic allowed
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22
6 20 4249 1438530010 1438530070 ACCEPT OK
Example records (cont.)
Inbound RDP traffic denied
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389
6 1 231 1439530000 1439530060 REJECT OK
Demo 2
[version, account, interface, srcaddr, dstaddr, srcport, dstport=22, protocol,
packets, bytes, start, end, action=REJECT, status=OK]
VPC networking
• Continually advancing the state of the art
• Focused on improving control and visibility
• Integration with third-party monitoring and management
tools
• Key element of the AWS increasingly powerful security
suite
Thank you!
NET301
Remember to complete
your evaluations!