Even though every account and Region has a default VPC, they may not present the security options you are looking for in your organization. Some organizations may have specialized networking teams whose only role is creating the account’s networking components. These include creating the VPCs, adding the security group and NACL rules, establishing the Direct Connect connections, setting up the virtual private networks (VPNs), and similar capabilities.
As a security professional, it is imperative that you have a basic understanding of the foundational aspects of these items so that if you need to communicate with a networking team, you can do so with confidence. Furthermore, your organization may not have a networking team, and these responsibilities may fall on your shoulders. In a different scenario, the development teams may be able to create new VPCs. However, knowing the intricate details of the networking aspects is crucial so that you can inspect (either manually or via automation) these VPCs created by other team members for potential vulnerabilities.
As these VPCs are all virtual, they are straightforward to create, and there are a few different ways to do this within AWS. You can use the AWS Management Console, the AWS Command Line Interface (CLI), or an infrastructure-as-code (IaC) language, such as CloudFormation or Terraform, to spin up and revise a VPC quickly.
Throughout this book, you have used the AWS Management Console and the CLI in exercises. For the following activity, you will use a CloudFormation template to allow you to spin up your new VPC quickly.
You can see from the template that the new VPC has both a public and private subnet and an IGW, and it contains a NAT gateway and very basic routes along with route tables for traffic.
Open up an editor such as Vim, Notepad++, or Visual Studio Code to create a new file named demo-vpc.yml. CloudFormation templates can be composed in either JSON or YAML. Since this is a YAML file, spacing makes a difference, and if some spacing is off, it can cause errors.
Note
Suppose you want to validate your YAML file before uploading it to the CloudFormation service. In that case, you can use an online YAML validator or validate it on the command line by installing a library such as yamllint.
After creating your new demo-vpc.yml file, add the following content and save:
Resources:
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: “10.0.0.0/16”
Tags:
– Key: Name
Value: MyVPC
MyPublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: “10.0.1.0/24”
MapPublicIpOnLaunch: true
Tags:
– Key: Name
Value: MyPublicSubnet
MyPrivateSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: “10.0.2.0/24”
MapPublicIpOnLaunch: false
Tags:
– Key: Name
Value: MyPrivateSubnet
MyInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
– Key: Name
Value: MyInternetGateway
MyGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref MyVPC
InternetGatewayId: !Ref MyInternetGateway
MyPublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
Tags:
– Key: Name
Value: MyPublicRouteTable
MyPrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
Tags:
– Key: Name
Value: MyPrivateRouteTable
MyPublicRoute:
Type: AWS::EC2::Route
DependsOn: MyGatewayAttachment
Properties:
RouteTableId: !Ref MyPublicRouteTable
DestinationCidrBlock: “0.0.0.0/0”
GatewayId: !Ref MyInternetGateway
MyPrivateRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref MyPrivateRouteTable
DestinationCidrBlock: “0.0.0.0/0”
NatGatewayId: !Ref MyNatGateway
MyNatGateway:
Type: AWS::EC2::NatGateway
DependsOn: MyPublicSubnet
Properties:
AllocationId: !GetAtt MyEIP.AllocationId
SubnetId: !Ref MyPublicSubnet
Tags:
– Key: Name
Value: MyNatGateway
MyEIP:
Type: AWS::EC2::EIP
DependsOn: MyGatewayAttachment
Properties:
Domain: vpc
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
