© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Camil Samaha, AWS Solutions Architecture

October 2015

NET301

NextGen NetworkingNew Capabilities for Amazon Virtual

Private Cloud

What to expect from the session

New capabilities for Amazon VPC

VPC Endpoints

• Generic capability

• First VPCE type available is for Amazon S3

VPC Flow Logs

• Netflow-like data from elastic network interfaces

VPC Endpoints

Problem statement

• AWS “abstracted services”[1] generally have service

endpoints on the public address side of an AWS region

• How best to reach those endpoints from inside your

VPC?

[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7

AZ: Availability Zone

aws ec2 describe-route-tables --route-table-ids rtb-c9d737ad

|+----------------------------------------------------+|||| Routes |||||+-----------------------+------------+-------------+||||| DestinationCidrBlock | GatewayId | State ||||+-----------------------+------------+--------------||||| 10.10.0.0/16 | local | active ||||+-----------------------+------------+-------------+||

Routes: local connectivity

Traffic to the VPC’s range stays

in the VPC

Establish public connectivity

aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

The default VPC is already

configured this way

Routes: Internet connectivity

aws ec2 describe-route-tables --route-table-ids rtb-c9d737ad

|+----------------------------------------------------+|||| Routes |||||+-----------------------+------------+-------------+||||| DestinationCidrBlock | GatewayId | State ||||+-----------------------+------------+--------------||||| 10.10.0.0/16 | local | active ||||| 0.0.0.0/0 | igw-5a1ae13f | active ||+----------------------------------------------------+||

Everything not destined for the

VPC goes to the Internet

Reaching public endpoints

Public IPs and IGWPros

• Highly available

• Horizontally scalable

• Can restrict destination ports/ CIDRs

Cons

• Public IPs; security controls are limited

• Can reach entire service (e.g. all S3 buckets)

NAT/PAT server(s)Pros

• Central control

• All protocols

Cons

• Availability risks

• Scaling hard, limited

• Lots of work to manage

• Security limitations similar to use of IGW

Proxy server(s)

Pros

• Central control

• Can scale fairly well

• Many security options

Cons

• Availability risks

• Lots of work to manage and scale

• Works only with HTTP/S

VPC endpoints to the rescue

• No need for public IP addresses, NAT/PAT, or proxies

• Highly available; no SPOF

• Practically infinite horizontal scalability

• Rich security controls

Amazon S3 without an Internet gateway

Routes: Amazon S3 connectivity

aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a

|+-------------------------------------------------------------------+|||| Routes |||||+-----------------------+-----------------------------------------+||||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||||+-----------------------+-------------------------+----------------||||| 10.10.0.0/16 | | local ||||| | pl-68a54001 | vpce-a610f4cf ||+-------------------------+-------------------------+---------------+||

The Amazon S3 Prefix list

aws ec2 describe-prefix-lists --prefix-list-ids pl-68a54001

--------------------------------------------------| DescribePrefixLists |+------------------------------------------------+|| PrefixLists |||+---------------+------------------------------+||| PrefixListId | PrefixListName |||+---------------+------------------------------+||| pl-68a54001 | com.amazonaws.us-west-2.s3 |||+---------------+------------------------------+|||| Cidrs |||||+--------------------------------------------+||||| 54.231.160.0/19 |||||+--------------------------------------------+||

IP range for Amazon S3

Changes over time and is managed by

AWS

Rich security controls

• New route entry

• As many endpoints per VPC as you like, but maximum one

assigned route per subnet

• New logical destination address for security group

outbound traffic rules

• Thus, instance-level control through security groups

Rich security controls (cont.)

• Policies on VPC endpoints

• Logically, resource policies (i.e., associated with resource rather

than principal)

• Constrain principals, actions, destination buckets, paths within

buckets

• S3 bucket policies

• Constrain source VPCs and/or VPC endpoints

• All policies ANDed together (IAM, VPC endpoints, S3)

VPC endpoint policy example

{ "Statement": [

{

"Sid": "Access-to-specific-bucket-only",

"Principal": "*",

"Action": [

"s3:GetObject",

"s3:PutObject"

],

"Effect": "Allow",

"Resource": ["arn:aws:s3:::my_secure_bucket",

"arn:aws:s3:::my_secure_bucket/*"]

}

]

}In English: Calls via this VPC endpoint are

allowed Get/Put to my_secure_bucket

S3 bucket policy example #1

{ "Version": "2012-10-17",

"Statement": [

{

"Sid": "Access-to-specific-VPCE-only",

"Principal": "*",

"Action": "s3:*",

"Effect": "Deny",

"Resource": ["arn:aws:s3:::my_secure_bucket",

"arn:aws:s3:::my_secure_bucket/*"],

"Condition": {

"StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf” }

}

}

]

}

In English: Deny access to this bucket to all calls

except those coming via this VPC endpoint

S3 bucket policy example #2

{ "Version": "2012-10-17”,

"Statement": [

{

"Sid": "Access-to-specific-VPC-only",

"Principal": "*",

"Action": "s3:*",

"Effect": "Deny",

"Resource": ["arn:aws:s3:::my_secure_bucket",

"arn:aws:s3:::my_secure_bucket/*"],

"Condition": {

"StringNotEquals": { "aws:sourceVpc": "vpc-c15180a4” }

}

}

]

}

In English: Deny access to this bucket to all

calls except those coming from this VPC

Demo 1

Demo 1

NAT

# node runTest.js testData1Starting...Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.1.238/api/full?b=tstbktvpc&g=nat&p=natInitiating test to http://10.20.2.38/api/full?b=tstbktvpc&g=vpce&p=vpceTest running...{"group":"igw","bucket":"tstbktvpc","object":"YMxa6QEKwNYp8OW2","type":"full"}{"group":"nat","bucket":"tstbktvpc","object":"JVWXO38lIlIKOP9V","type":"full"}{"group":"vpce","bucket":"tstbktvpc","object":"ezRl2CPObn4rCTq6","type":"full"}

#

Cluster size of 1

1 x 10 GB file upload; 1 x 10 GB file download

1 node

1 node

1 node

tx

rx

VPCE - 1 node

NAT- 1 node

# node runTest.js testData10Starting...Initiating test to http://10.20.0.12/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.225/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.226/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.215/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.216/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.142/api/full?b=tstbktvpc&g=igw&p=igwInitiating test to http://10.20.0.143/api/full?b=tstbktvpc&g=igw&p=igw...

Cluster size of 10

10 x 10 GB file upload; 10 x 10 GB file download

tx

rx

1 node

1 node

1 node

10 nodes

10 nodes

10 nodes

VPCE - 1 node

NAT - 1 node NAT - 10 nodes

VPCE - 10 nodes

1 node

10 nodes

1 node

1 node

10 nodes

10 nodes

VPCE - 1 node

NAT - 1 node NAT - 10 nodes

VPCE - 10 nodes

VPC Flow Logs

VPC Flow Logs

• Long-standing ask: greater visibility into VPC network

behavior

• Specifically, what about those security group and network ACL

DENY cases?

• VPC Flow Logs provide the answer

See all of the traffic at your instances

• Visibility into effects of

security group rules

• Troubleshooting

network connectivity

• Ability to analyze traffic

VPC Flow Logs (cont.)

• Enabled at the ENI, subnet, or VPC level

• Traffic data surfaced as “flow log records” per ENI

• Exposed as CloudWatch log groups and streams

• Data accumulated and published to CloudWatch Logs at

~10 minute intervals

• Normal CloudWatch Logs groups/streams with all

related features

• For example, new CloudWatch Logs -> Amazon Kinesis stream

integration

Flow Log record (text, space-delimited)

Field Description

version The VPC Flow Logs version.

account-id The AWS account ID for the Flow Log.

interface-id The ID of the network interface for which the log stream applies.

srcaddr The source IP address. The IP address of the network interface is always its private IP address.

dstaddr The destination IP address. The IP address of the network interface is always its private IP address.

srcport The source port of the traffic.

dstport The destination port of the traffic.

protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers.

packets The number of packets transferred during the capture window.

bytes The number of bytes transferred during the capture window.

start The time, in Unix seconds, of the start of the capture window.

end The time, in Unix seconds, of the end of the capture window.

action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or network ACLs.REJECT: The recorded traffic was not permitted by the security groups or network ACLs.

log-status The logging status of the flow log:OK: Data is logging normally to CloudWatch Logs.NODATA: There was no network traffic to or from the network interface during the capture window.SKIPDATA: Some flow log records were skipped during the capture window.

Example records

Inbound SSH traffic allowed

2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22

6 20 4249 1438530010 1438530070 ACCEPT OK

Example records (cont.)

Inbound RDP traffic denied

2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389

6 1 231 1439530000 1439530060 REJECT OK

Demo 2

[version, account, interface, srcaddr, dstaddr, srcport, dstport=22, protocol,

packets, bytes, start, end, action=REJECT, status=OK]

VPC networking

• Continually advancing the state of the art

• Focused on improving control and visibility

• Integration with third-party monitoring and management

tools

• Key element of the AWS increasingly powerful security

suite

Thank you!

NET301

Remember to complete

your evaluations!