THE AWS CERTIFIED ADVANCED NETWORKING – SPECIALTY EXAM OBJECTIVES COVERED IN THIS CHAPTER MAY INCLUDE, BUT ARE NOT LIMITED TO, THE FOLLOWING:
Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.
In this chapter, you will continue to learn about hybrid networking. In Chapter 6, “Hybrid Networking,” we covered the underlying technologies used to interconnect networks with a focus on connecting to AWS from remote collocation and enterprise data centers to form hybrid networks.
In this chapter, you will go deeper into the VPN services AWS offers, review layer 3 of the OSI model, network connectivity testing, and the AWS Resource Manager. You will also learn about some of the utilities used to test and troubleshoot these hybrid networks.
In Chapter 6, you learned about site-to-site VPNs, virtual private gateways, customer gateways, IPSec, and CloudHub. In this chapter, you will expand your knowledge of VPNs as they are used in connecting your on-premises networks into your AWS resources. VPNs are an integral component of hybrid networking, along with Direct Connect, which was also covered in Chapter 6. You should expect the exam to test your knowledge of VPNs, so I advise you to learn the material in this book and to read the AWS online documentation until you deeply understand VPN theory, implementation, and ongoing operations and support.
To understand VPN security, it is helpful to understand the big picture of AWS security, which is documented in the AWS shared responsibility model. It is important to know what your responsibility is and what security AWS takes care of for you. The AWS model views it as security of the cloud and security in the cloud.
Security of the cloud outlines what AWS takes responsibility for securing and what is the customer’s responsibility. The model addresses protecting the AWS infrastructure that the services are running on inside of the AWS network. Both AWS and the customer have responsibility for maintaining both security and compliance in the AWS cloud. AWS operates, manages, and secures its data centers, the physical hardware, the virtualization layer, host operating systems, and, depending on the service, application support such as databases or big data services. This leverages the large resources of AWS to perform on your behalf and is a huge operational relief for customers by relieving them from having to configure, monitor, and maintain those components of their operations.
The customer will assume responsibility for maintaining the guest operating system in an infrastructure as a service (IaaS) model. AWS will manage the guest OS, if you are using a platform as a service (PaaS) or software as a service (SaaS) model, and their selected applications with current updates and patches. Security in the cloud is the AWS customer’s responsibility and depends on the services you are using. You must take responsibility for the data you upload to AWS and any regulations or laws in your country or areas of business operations, as well as access and security group configurations in your VPCs, access control, firewalls, and any other security controls you want to enable.
VPN security consists of protecting the data traversing the VPN, applying Identity and Access Management (IAM) restrictions, and enabling logging and monitoring. Also, the VPN physical infrastructure must be secure.
Data protection includes securing account credentials by configuring user and group accounts with only the necessary permissions in IAM, setting up CloudTrail to record and archive AWS operations, and not exposing sensitive information in tags.
IAM is used to restrict user access in the AWS console when working with site-to-site VPNs. IAM allows you to limit access without sharing security credentials. Since the IAM default is to restrict the ability to create, view, or modify VPN configurations, you must explicitly enable user access and permissions. Create the IAM policies by granting user permissions to use the specific resources and API actions that they need; then attach the policy to the IAM group or user. Site-to-site VPNs share the API namespace with Amazon EC2 when working with site-to-site VPN connections, virtual private gateways, and customer gateways.
IAM policies for site-to-site VPN connections provide resource-level user limitations to VPN APIs. Actions supported include ec2:CreateVpnConnection, ec2:ModifyVpnConnection, and ec2:ModifyVpnTunnelOptions. The ARN format is arn:aws:ec2:ap-east-1:123456789012:vpn-connection/vpn-0fac8372dab8ad6413.
AWS VPN resiliency includes using diverse data centers with every regional availability zone physically separated from each other. This architecture allows VPN connections to failover should an availability zone go offline. This is because each site-to-site VPN uses two tunnels, with each tunnel terminating in a different availability zone, as shown in Figure 7.1.
The site-to-site VPN connects your VPC to your data center using Internet Protocol Security (IPSec) to encrypt all in-flight traffic through the VPN tunnels to maintain data confidentiality and integrity.