Sichere Netzwerke in der Cloud Best Practices Justin Bradley, Solutions Architect 30. Juni 2016
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from the session • What is Amazon VPC • VPC Toolkit • Building your VPC • •
Public vs Private Connectivity to your Data center
• Protecting your VPC Resources • Moving Beyond a Single VPC • Configuring logging and monitoring
AWS Global Infrastructure
12 Regions 33 Availability Z ones 54 Edge Locations Region Edge Location
What is Amazon VPC
What is Amazon VPC? A private, isolated section of the AWS cloud A virtual network topology you can deploy and customize You have complete control of your networking Proven and well-understood networking concepts
Most simply put, it is a virtual data center you can build out and control on AWS!
VPC Toolbox
VPC components Amazon V PC
customer gateway
endpoints
flow logs
Elastic IP Route table
Internet gateway
router
VPC NAT gateway
AWS Direct Connect
Subnet VPN connection
VPN gateway
VPC peering
Elastic n etwork interface
Building your VPC
VPCs span an entire region VPC CIDR: 10.1.0.0 / 16
Availability Zone A
Availability Zone B
Subnets sit in a single Availability Zone VPC CIDR: 10.1.0.0 / 16
Subnet (10.1.1.0/24)
Subnet (10.1.2.0/24) Availability Zone A
Availability Zone B
Plan your VPC IP space before creating it •
Consider future AWS region expansion
•
Consider future connectivity to your internal networks
•
Consider subnet design
•
VPC can be /16 down to /28
•
CIDR cannot be modified after creation
•
Overlapping IP spaces = future headache
Add an Internet Gateway VPC CIDR: 10.1.0.0 / 16
Web (public)
Subnet (10.1.1.0/24)
Subnet (10.1.2.0/24) Availability Zone A
Availability Zone B
Add an Internet Gateway VPC CIDR: 10.1.0.0 / 16
Route Table Destination
Target
10.1.0.0/16
Local
0.0.0.0/0
Internet Gateway
Subnet (10.1.1.0/24)
Web (public)
Subnet (10.1.2.0/24) Availability Zone A
Availability Zone B
Add private subnets VPC CIDR: 10.1.0.0 / 16
PUBLIC
PUBLIC Subnet (10.1.2.0/24)
Subnet (10.1.1.0/24)
PRIVATE
PRIVATE Subnet (10.1.4.0/24)
Subnet (10.1.3.0/24) Availability Zone A
Availability Zone B
Add private subnets VPC CIDR: 10.1.0.0 / 16
Subnet (10.1.1.0/24)
Web (public)
Subnet (10.1.2.0/24)
Web (public)
Subnet (10.1.3.0/24)
Database (private)
Subnet (10.1.4.0/24)
Database (private)
Availability Zone A
Availability Zone B
Add private subnets VPC CIDR: 10.1.0.0 / 16
Route Table Destination
Target
10.1.0.0/16
Local
Web 0.0.0.0/0
Internet Gateway
Subnet (10.1.1.0/24)
(public)
Subnet (10.1.2.0/24)
Web (public)
Subnet (10.1.4.0/24)
Database (private)
Route Table Destination
Target
10.1.0.0/16
Local
Subnet (10.1.3.0/24)
Database (private)
Availability Zone A
Availability Zone B
NAT Gateway VPC NAT gateway
VPC CIDR: 10.1.0.0 / 16
Subnet (10.1.1.0/24)
Web (public)
Subnet (10.1.2.0/24)
Web (public)
Subnet (10.1.3.0/24)
Database (private)
Subnet (10.1.4.0/24)
Database (private)
Availability Zone A
Availability Zone B
NAT Gateway VPC CIDR: 10.1.0.0 / 16
Route Table Destination
Target
10.1.0.0/16
Local
Web 0.0.0.0/0
Internet Gateway
Subnet (10.1.1.0/24)
(public)
Subnet (10.1.2.0/24)
Web (public)
Subnet (10.1.4.0/24)
Database (private)
Route Table Destination
Target
10.1.0.0/16
Local
Database 0.0.0.0/0 Subnet (10.1.3.0/24) (private)
NAT Gateway (ENI) Availability Zone A
Availability Zone B
Connect to your data center
192.168.0.0/16
Subnet (10.1.1.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.4.0/24)
Availability Zone A
Availability Zone B
10.1.0.0/16
Connect to your data center
192.168.0.0/16
Subnet (10.1.1.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.4.0/24)
Availability Zone A
Availability Zone B
10.1.0.0/16 or
Connect to your data center
Subnet (10.1.1.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.4.0/24)
Internal S erver
192.168.0.0/16
Availability Zone A
Availability Zone B
10.1.0.0/16 or
Connect to your data center
Subnet (10.1.1.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.4.0/24)
Internal S erver
192.168.0.0/16
Availability Zone A
Availability Zone B
10.1.0.0/16 or
Connect to your data center Route Table Destination
Target
10.1.0.0/16
Local
0.0.0.0/16
IGW
Subnet (10.1.1.0/24)
Subnet (10.1.2.0/24)
Route Table Internal S erver
Destination
Target
10.1.0.0/16
Local
192.168.0.0/16 192.168.0.0/16
0.0.0.0/0
VPG
Subnet (10.1.3.0/24)
NAT Gateway
Availability Zone A
Subnet (10.1.4.0/24) Availability Zone B
10.1.0.0/16 or
Protecting your VPC resources
Protecting your VPC resources Network Linking
VPN connection
Auditing
AWS Direct Connect
VPC peering
Endpoint Routing
route table
flow logs
Public / Elastic IP
Internet gateway
endpoints
CloudTrail
Protecting your VPC resources Network Linking Security Group Ingress/Egress Rules
VPN connection
AWS Direct Connect
VPC peering
Fleet 1 SG
Subnet (10.1.1.0/24)
Fleet 2 SG
Endpoint Routing Network A ccess Control L ists
route table
Public / Elastic IP
Internet gateway
App 1 SG
App 2 SG
Subnet (10.1.1.0/24)
Subnet (10.1.2.0/24)
Virtual Private Cloud Security Layers Availability Zone A
Lockdown at instance level Isolate network functions Lockdown at network level
Availability Zone B
Security Group
Security Group
Security Group
Subnet 10.0.0.0/24
Subnet 10.0.1.0/24
Network ACL
Network ACL Router
Route restrictively
Routing Table
Virtual Private Gateway
Routing Table
Internet Gateway
VPC Security Groups
VPC (BuildABeer-VPC-1)
HTTP GET Beer TCP(6) Port(80)
NTP Buffer Overrun UDP(17) Port(123) security group (BuildABeer-SG-1)
Network ACL
VPC (BuildABeer-VPC-1)
HTTP GET Beer TCP(6) Port(80)
HTTP GET Beer TCP(6) Port(80) srcIP=216.246.16.228
security group (BuildABeer-SG-1)
Obfuscate - CloudFront
VPC (BuildABeer-VPC-1)
CloudFront
Users Amazon Route 53
Hide ’n’ go seek ~>nslookup www.buildabeer.com Server: 10.43.23.72 Address: 10.43.23.72#53 Non-authoritative answer: www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net. Name: d3u9qbug2y23to.cloudfront.net Address: 52.84.20.173 Name: d3u9qbug2y23to.cloudfront.net Address: 52.84.20.85
Moving Beyond a Single VPC
Why have more than one? Application isolation Scope of audit containment (separate AWS Accounts) Risk level separation Separate production from non-production Multi-tenant isolation Business unit alignment
Growing your VPCs
VPC A Web App
VPC A Internal App
VPC B Internal App
VPC C Internal App
HA Pair o f V PN E ndpoints
VPC D Internal App
VPC (N) Internal App
Connecting your VPCs (VPC Peering) Now, with VPC Peering, you can connect VPCs together within a Region without having to maintain all the VPN overhead. Peering creates a private network connection between any two VPCs in a region Including cross-account VPC Peering
Common Design – Shared Services VPC •
Move shared services such as Active Directory, Logging and Monitoring to a shared services VPC
VPC B 10.2.0.0/16
VPC C 10.3.0.0/16
VPC D 10.4.0.0/16
pcx-aaaacccc
•
None of the other VPCs can send traffic directly to each other through VPC A (= app isolation)
•
Only VPC A has direct network access to your data center via a VPN
•
Security Groups and NACLs still apply
pcx-aaaabbbb
pcx-aaaadddd VPC A 10.1.0.0/16
10.0.0.0/16
Common Design – Shared Services VPC Route Table Route Tables
Destination
Target
VPC A 's route table
10.1.0.0/16
Local
10.2.0.0/16
pcx-aaaabbbb
10.3.0.0/16
pcx-aaaacccc
10.4.0.0/16
pcx-aaaadddd
10.0.0.0/16
VPG1
10.2.0.0/16
Local
10.1.0.0/16
pcx-aaaabbbb
10.3.0.0/16
Local
10.1.0.0/16
pcx-aaaacccc
10.4.0.0/16
Local
10.1.0.0/16
pcx-aaaadddd
VPC B 's route table
VPC C's route table
VPC D's route table
VPC B 10.2.0.0/16
VPC C 10.3.0.0/16
VPC D 10.4.0.0/16
pcx-aaaacccc pcx-aaaabbbb
pcx-aaaadddd VPC A 10.1.0.0/16
10.0.0.0/16
Simplify with AWS Direct Connect VPC B 10.2.0.0/16
VPC C 10.3.0.0/16
VPC D 10.4.0.0/16
VPC B 10.6.0.0/16
pcx-aaaacccc pcx-aaaabbbb
VPC C 10.7.0.0/16
VPC D 10.8.0.0/16
VPC B 10.10.0.0/16
pcx-aaaacccc
pcx-aaaadddd
pcx-aaaabbbb
AWS Direct Connect location
VPC D 10.12.0.0/16
pcx-aaaacccc pcx-aaaadddd
VPC A 10.5.0.0/16
VPC A 10.1.0.0/16
VPC C 10.11.0.0/16
pcx-aaaabbbb
pcx-aaaadddd VPC A 10.9.0.0/16
Customer data center
Configuring logging and monitoring
Services • AWS CloudTrail
• VPC Flow Logs
AWS CloudTrail
Introduction to AWS CloudTrail Store/ archive Amazon S3 bucket
Amazon Elastic Block Store (Amazon EBS)
On a growing CloudTrail is You are set of AWS continuously making API services around recording calls... the world.. API calls
Troubleshoot
Monitor and alarm
Use cases enabled by CloudTrail • IT and security administrators can perform security analysis • IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change • DevOps engineers can troubleshoot operational issues • IT auditors can use log files as a compliance aid • See: Security at Scale: Logging in AWS White Paper
VPC Flow Logs
Dumping out the heavy hitter IP addresses #!/usr/bin/python3 import boto3 # Get the service resource logs = boto3.client(’logs’) # Get the log groups groups = logs.describe_log_groups() for logGroup in groups[’logGroups’] : # Get the LogStream for each logGroup logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’]) for logStream in logStreamsDesc[’logStreams’]: events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’]) # Store each log entry by the src IP address ip_dict = {} for event in events_resp[’events’] : ip = event[cd ’message’].split()[4] if ip in ip_dict: ip_dict[ip] = ip_dict[ip] + 1 else : ip_dict[ip] = 1 for w in sorted(ip_dict, key=ip_dict.get, reverse=True): print (’{0:15} {1:8d}’.format(w, ip_dict[w])) #Early exit exit()
Partners
Justin Bradley