Technical Requirements – Configuring Infrastructure Security – SCS-C02 Study Guide

Technical Requirements

Access to AWS CLI and the AWS Management Console with an active account are both required for this chapter. A basic understanding of network terms will also help as you work through this chapter.

If you need help understanding networking fundamentals and basic terms such as CIDR, route, and access control list, refresh your knowledge of these topics before going through this chapter and attempting the AWS Certified Security – Specialty exam. If you need a resource on CIDRs, the following link should help you understand the topic better: https://packt.link/9JMFl.

Understanding VPC Security

You can think of a VPC as your own private section of the AWS network. It allows you to create a virtual network infrastructure that you can segment into different networks. VPCs can be segmented for public-facing access, in which services have IP addresses that are reachable by the entire internet, and private access, in which the IP addresses are accessible only once you have entered the VPC network and a route has been provided.

Before you start reviewing the different aspects of VPC security, first look at some of the terms that will be used throughout this chapter in discussions on AWS networking:

  • Subnets: A subnet defines a range of IP addresses in a VPC; there are both public and private subnets. Each subnet can only inhabit one Availability Zone (AZ) and cannot traverse multiple AZs or Regions.
  • Security groups: Security groups act as virtual firewalls in Amazon VPC. You can have up to five security groups per EC2 instance, and security groups are enforced at the instance level (not at the subnet level).
  • NACLs: NACLs work at the subnet level (unlike security groups which work at the instance level). NACLs are stateless compared to stateful security groups, and any traffic that needs to return through an NACL needs to have the port and IP range opened for both the ingress and egress ports. NACL rules are evaluated in order with the lowest rule being processed first.
  • NAT: A NAT device forwards traffic from the instances in a private subnet to the internet or other AWS services. Since the advent of VPC endpoints, using NAT to talk to other AWS services in your account is considered a non-secure practice and should never be followed in production environments.
  • VPC endpoints: An AWS VPC endpoint is a highly available and scalable resource that allows you to privately connect your Amazon VPC to AWS services without needing to traverse the public internet. It enables secure and efficient communication between your VPC and AWS services, such as Amazon S3 and DynamoDB, while keeping the traffic within the AWS network.
  • AWS Direct Connect: Direct Connect provides the shortest path between your network and AWS resources. Using a Direct Connect connection means your data never travels over the public internet. Instead, you get a dedicated connection to an AWS Region. Direct Connect can help reduce data transfer costs, improve latency, and provide a more consistent network connection.
  • Elastic network interface (ENI): An ENI is a virtual network card that is a logical networking component in a VPC. You can create and configure ENIs in the same AZ that you would attach to your EC2 instances.

Figure 10.1: VPC with private and public subnets with CIDR notation (which is actually a range of IP addresses)

The VPC shown in Figure 10.1 depicts one built with a full CIDR range of /16 that allows for a total of 65,536 IP addresses. The VPC has been spread out across three AZs in the Region, with one public and two private subnets placed in each AZ.

There are five IP addresses reserved for AWS’s use to create a subnet CIDR block (the following example uses the 192.0.0.0/24 CIDR range):

  • 192.0.0.0: Network address.
  • 192.0.0.1: Reserved by AWS for the VPC router.
  • 192.0.0.2: Reserved by AWS.
  • 192.0.0.3: Reserved by AWS for future use.
  • 192.0.0.255: Network broadcast address. Since AWS does not support broadcast in a VPC, AWS reserves this address.

Think of these reserved IP addresses as specific roles or addresses that are automatically set up for your VPC to function correctly within the AWS environment. They help manage and direct traffic, keep track of devices, and ensure that data is routed to the right destinations efficiently.

So, if you have a VPC with a CIDR range of 192.0.0.0/24, there are 251 IP addresses available for your resources within that VPC. The five reserved addresses are separate from this pool and do not reduce the number of usable addresses. You can use any of the remaining 251 addresses for your instances, databases, and other services as needed.

Those five reserved IP addresses in an AWS VPC are essential for the VPC’s internal functioning but do not impact the total number of usable IP addresses for your resources in the VPC. The size of your VPC’s IP range, as defined by the CIDR notation, determines the total number of addresses available to use.

With an understanding of the basic terms you will be using in this chapter and how VPCs are constructed, you are now ready to try creating a basic VPC in your AWS account, which you will do in the following exercise.