10 Class 17: Learning Journal - VascoLucas01/cybersecurity-reading-notes GitHub Wiki

Introduction

[Date: 2023/05/24]

In this Class 17: Learning Journal, I am going to talk about the main ideas/concepts covered in the cloud network security lecture.

After that, I am going to make a refletion based on the question referred at the end of this page.

Today I Learned

Cloud Network Security

Regions and Zones

The AWS cloud is hosted across three categories:

  • Regions
  • Availability Zones
  • Local Zones

The AWS Region is a geographic area that contains Availability Zones:

  • Example: us-west-2
  • Lookup with aws ec2 describe-regions

An Availability Zone is an individual data center or set of data centers within a region represented by adding a letter identifier to the region code.

  • Example: us-west-2a
  • Lookup with aws ec2 describe-availability-zones --region region-name
  • Launching instances in separate Availability Zones can protect hosted applications against single point of failure scenarios

A Local Zone is an extension of an AWS Region that is geographically close to your users.

  • Extend any VPC from the parent AWS Region into Local Zones by creating a new subnet and assigning it to the AWS Local Zone.
  • A Local Zone is represented by an AWS Region code followed by an identifier that indicates the location, for example us-west-2-lax-la

VPC Basics

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account.

  • Logicaly isolated from other virtual netowrks in the AWS cloud
  • Uses familiar networking concepts such as subnets and IP addresses

Next, let's take a look at some example use cases of a VPC:

  • Public subnet
  • Public and private subnet
  • Public and private subnet connected to corporate LAN

VPC Concepts

A subnet is a range of IP addresses in your VPC, much like a traditional LAN subnet.

  • Must fit within the scope of your VPC

A public subnet hosts public-facing services like a web site or file server.

A private subnet does not allow access to resources from outside the VPC, and is instead meant for internal resources.

Reminder; An instance in AWS jargon is a virtual machine ("a virtual server in the cloud")

VPC - Public Subnet

A company hosting only public services, such as a web app, might only need a single public subnet in its VPC.

Example:

  • Code 401 student project
  • Web application server
  • Public file transfer

VPC - Public, Private Subnet

A network address translation (NAT) gateway enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.

NAT gateways charge for use; be sure to delete yours at end of lab time.

Traffic can be monitored with CloudWatch.

Hybrid Cloud via VPN

On-prem corporate networks can extend into the cloud using an IPsec VPM tunnel.

The VPC can still have a private and public subnet:

  • Put web servers in the public subnet front end
  • Put private systems in the private subnet backend

Private AWS resource may include:

  • ERP software
  • Databases
  • Internal web servers
  • File server

VPC Security Controls

Security groups acts as a virtual firewall for your instance to control inbound and outbound traffic.

  • Act at the instance level, not the subnet level
  • A VPC will have a default security group that is assigned to newly launched instances

A Network Access Controls List (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.

VPC Security Best Practices

Restrict access to your subnets using security groups for your VPC.

Leverage security groups as the primary mechanism for controlling network access to VPCs.

Use private subnets for your instances that don't host public-facing services.

Configure Amazon VPC subnet route tables with the minimal required network routes.

Remote networks should connect to VPCs using either:

  • AWS Virtual Private Network (VPN)
  • AWS Direct Connect

Use VPC Flow Logs to monitor the traffic that reaches your instances.

Use AWS Security Hub to check for unintended network accessibility from your instances.

Reflection