Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Justin Bradley, Solutions Architect
30. Juni 2016
Sichere Netzwerke in der CloudBest Practices
What to expect from the session
• What is Amazon VPC• VPC Toolkit • Building your VPC
• Public vs Private• Connectivity to your Data center
• Protecting your VPC Resources• Moving Beyond a Single VPC• Configuring logging and monitoring
AWS Global Infrastructure
Region
Edge Location
12 Regions33 Availability Zones54 Edge Locations
What is Amazon VPC
What is Amazon VPC?A private, isolated section of the AWS cloudA virtual network topology you can deploy and customizeYou have complete control of your networkingProven and well-understood networking concepts
Most simply put, it is a virtual data center you can build out and control
on AWS!
VPC Toolbox
VPC components
Route table
Elastic network interface
Amazon VPC
Subnet
Elastic IP
routerInternet gateway
customer gateway
VPN gateway
VPN connection
VPCpeering
endpoints flow logs
VPC NAT gateway
AWS Direct Connect
Building your VPC
VPCs span an entire region
Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
Subnets sit in a single Availability Zone
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
VPC CIDR: 10.1.0.0 /16
• Consider future AWS region expansion
• Consider future connectivity to your internal networks
• Consider subnet design
• VPC can be /16 down to /28
• CIDR cannot be modified after creation
• Overlapping IP spaces = future headache
Plan your VPC IP space before creating it
Add an Internet Gateway
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
VPC CIDR: 10.1.0.0 /16
Web(public)
Add an Internet Gateway
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
VPC CIDR: 10.1.0.0 /16
Web(public)
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Internet Gateway
Add private subnets
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)
VPC CIDR: 10.1.0.0 /16
PUBLIC PUBLIC
PRIVATE PRIVATE
Add private subnets
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)Database(private)
Database(private)
Web(public)
Web(public)
VPC CIDR: 10.1.0.0 /16
Add private subnets
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)Database(private)
Database(private)
Web(public)
Web(public)
VPC CIDR: 10.1.0.0 /16
Route Table
Destination Target
10.1.0.0/16 Local
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Internet Gateway
NAT Gateway
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)Database(private)
Database(private)
Web(public)
Web(public)
VPC CIDR: 10.1.0.0 /16
VPC NAT gateway
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)Database(private)
Database(private)
Web(public)
Web(public)
VPC CIDR: 10.1.0.0 /16
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 NAT Gateway(ENI)
NAT Gateway
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Internet Gateway
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
or
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
or
Internal Server
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
or
Internal Server
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
or
Internal Server
Route Table
Destination Target
10.1.0.0/16 Local
192.168.0.0/16 VPG
0.0.0.0/0 NAT Gateway
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/16 IGW
Protecting your VPC resources
Protecting your VPC resources
Public / Elastic IP
Internet gateway
VPN connection VPC peering
route table
AWS Direct Connect
Network Linking
Endpoint Routingflow logs
CloudTrail
endpoints
Auditing
Subnet (10.1.1.0/24)
Subnet (10.1.1.0/24)
Protecting your VPC resources
Public / Elastic IP
Internet gateway
VPN connection VPC peering
route table
AWS Direct Connect Fleet 1 SG Fleet 2 SG
Security Group Ingress/Egress Rules
Subnet (10.1.2.0/24)
Network Access Control Lists
App 1 SG App 2 SG
Network Linking
Endpoint Routing
Virtual Private Cloud Security Layers
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Security Group
Subnet 10.0.1.0/24
Routing Table
Network ACL
Security Group
Virtual Private Gateway Internet Gateway
Lockdown at instance level
Isolate network functions
Lockdown at network level
Route restrictively
Router
Availability Zone A Availability Zone B
VPC Security Groups
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET BeerTCP(6) Port(80)
NTP Buffer OverrunUDP(17) Port(123)
Network ACL
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET BeerTCP(6) Port(80)
HTTP GET BeerTCP(6) Port(80)srcIP=216.246.16.228
VPC (BuildABeer-VPC-1)
Obfuscate - CloudFront
AmazonRoute 53
CloudFront
Users
Hide ’n’ go seek~>nslookup www.buildabeer.comServer: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net.Name: d3u9qbug2y23to.cloudfront.netAddress: 52.84.20.173<snip>Name: d3u9qbug2y23to.cloudfront.netAddress: 52.84.20.85
Moving Beyond a Single VPC
Why have more than one?Application isolation
Scope of audit containment (separate AWS Accounts)
Risk level separation
Separate production from non-production
Multi-tenant isolation
Business unit alignment
Growing your VPCs
VPC AWeb App
HA Pair of VPN Endpoints
VPC AInternal App
VPC BInternal App
VPC (N)Internal App
VPC DInternal App
VPC CInternal App
Connecting your VPCs (VPC Peering)Now, with VPC Peering, you can connect VPCs together within a Region without having to maintain all the VPN overhead.
Peering creates a private network connection between any two VPCs in a region
Including cross-account VPC Peering
Common Design – Shared Services VPC
VPC A10.1.0.0/16
10.0.0.0/16
VPC D10.4.0.0/16
VPC C10.3.0.0/16
VPC B10.2.0.0/16
• Move shared services such as Active Directory, Logging and Monitoring to a shared services VPC
• None of the other VPCs can send traffic directly to each other through VPC A (= app isolation)
• Only VPC A has direct network access to your data center via a VPN
• Security Groups and NACLs still apply
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
Common Design – Shared Services VPCRoute Table
Route Tables Destination Target
VPC A's route table 10.1.0.0/16 Local
10.2.0.0/16 pcx-aaaabbbb
10.3.0.0/16 pcx-aaaacccc
10.4.0.0/16 pcx-aaaadddd
10.0.0.0/16 VPG1
VPC B's route table 10.2.0.0/16 Local
10.1.0.0/16 pcx-aaaabbbb
VPC C's route table 10.3.0.0/16 Local
10.1.0.0/16 pcx-aaaacccc
VPC D's route table 10.4.0.0/16 Local
10.1.0.0/16 pcx-aaaadddd
VPC A10.1.0.0/16
10.0.0.0/16
VPC D10.4.0.0/16
VPC C10.3.0.0/16
VPC B10.2.0.0/16
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
Simplify with AWS Direct Connect
Customer data centerAWS Direct Connect
location
VPC A10.1.0.0/16
VPC D10.4.0.0/16
VPC C10.3.0.0/16
VPC B10.2.0.0/16
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
VPC A10.5.0.0/16
VPC D10.8.0.0/16
VPC C10.7.0.0/16
VPC B10.6.0.0/16
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
VPC A10.9.0.0/16
VPC D10.12.0.0/16
VPC C10.11.0.0/16
VPC B10.10.0.0/16
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
Configuring logging and monitoring
Services
• AWS CloudTrail
• VPC Flow Logs
AWS CloudTrail
Introduction to AWS CloudTrailStore/ archive
Troubleshoot
Monitor and alarm
You are making API calls...
On a growing set of AWS
services around the world..
CloudTrail is continuously recording API calls
Amazon Elastic Block Store
(Amazon EBS)
Amazon S3 bucket
Use cases enabled by CloudTrail
• IT and security administrators can perform security analysis
• IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change
• DevOps engineers can troubleshoot operational issues• IT auditors can use log files as a compliance aid• See: Security at Scale: Logging in AWS White Paper
VPC Flow Logs
Dumping out the heavy hitter IP addresses#!/usr/bin/python3import boto3
# Get the service resourcelogs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP addressip_dict = {}for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:ip_dict[ip] = ip_dict[ip] + 1
else :ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exitexit()
Partners
Justin Bradley
