Subnets – Configuring Infrastructure Security – SCS-C02 Study Guide

Subnets

Selecting Subnets from the left-hand menu will bring up all the subnets associated with a particular VPC. If you do not have VPC filtering on, then all subnets created for the Region will be displayed.

Figure 10.9: List of subnets

There is an excellent analogy that can help you understand the relationship between VPCs and subnets. Think of your house as your VPC. Within your house, you have many different rooms: the kitchen, the lounge, bedrooms, the study, and bathrooms. These rooms could be thought of as your subnets. Each room in your house performs a different function. The same can apply to your subnets. Each subnet should be configured to perform a specific task. Perhaps one subnet contains all your application servers and another all your database servers.

Later in this chapter, in the Public and Private Subnets section, you will learn more about subnets, how they are divided, and their role in public and private subnets.

Select a subnet from within the VPC dashboard within the AWS Management Console, and you will see that each subnet has several attributes and associations.

The Description Screen

The Details screen provides an overall summary description of how the subnet is configured.

Figure 10.10: The VPC description screen

The main points to highlight at this stage are VPC, Availability Zone, Network ACL, IPv4 CIDR, and Route table as shown in Figure 10.10 and discussed in the following points:

  • VPC: When a subnet is created, it exists within a single VPC. In this example, you can see the associated VPC ID and its name, MyVPC.
  • Availability Zone: A subnet can only reside in a single AZ. In this case, it is the us-east2-2c AZ. Note here is that the AZ is not the same as the AZ ID, nor does the AZ ID map on a one-to-one basis in alphabetical order depending on the Region you are in. The AZ ID comes into play as you get into more advanced networking tasks where traffic packets need to follow the same path with which they were initialized.
  • Network ACL: A NACL will always be associated with a subnet. If you don’t specify a particular NACL on creation, it will use the VPC default NACL. As shown, the NACL will also have a corresponding ID, acl-07104d0abbb81d306.
  • IPv4 CIDR: The IPv4 CIDR value shows the current CIDR block for this subnet.
  • Route table: Finally, Route table shows the associated route table that this subnet will use to route traffic. Again, a subnet will use the default VPC route table if no route table is defined. So, in essence, both the NACL and route table can be changed for each subnet.

To reiterate, network segmentation through subnets helps with security by maintaining network borders, whereby protective measures are put in place to filter network traffic, both inbound and outbound.

The Flow Logs Tab

The Flow Logs tab allows you to set up and configure flow logs. These logs enable you to capture IP traffic sent between the network interfaces of your subnet. Flow logs can also be configured at the VPC level for each network interface on your instances.

However, a tab will only configure flow logs for one particular subnet. The data captured in these logs can help you resolve network communication issues and traffic flow incidents. The logs are also helpful in identifying traffic that shouldn’t be traversing the network. So, from a security stance, they are also handy for IP traffic.

Flow logs were covered in detail in Chapter 7, Logs Generated by AWS Services.