Strengthening the security at the network level

When using AWS, you can imagine your infrastructure as being contained in your own virtual data center. This is called a VPC. Each VPC is then subdivided into multiple subnets. So far, we have used the default VPC and subnets. Take the example of us-east-1. As we can see in the following image, our default VPC is using the 173.31.0.0/16 network. Within this network, we have a subnet for each availability zone.

In addition, each AZ is directly connected to an internet gateway:

This gateway is what makes it possible for our EC2 instances to have both a public and private IP. This is also what we want to change. One of the common best practices in security is to minimize the attack surface. As services and applications become more and more complex, the likelihood of opening a security group too much also increases. What we want to create is an architecture where our EC2 instances are for the most part in a private subnet and only a handful of resources will be on our public subnets.

We will also add an optional resource called a network address translation (NAT) gateway. A NAT gateway is a managed service that does not require administration effort and allows instances from a private subnet to connect to the internet from a unique IP. This way, our instances in the private subnets will still be able to connect to the internet but no one will be able to create a connection directly to those instances from outside of our network.

Right now, we are accessing our different instances and internal tools (if you are still using Jenkins, for example) using their public IP and HTTP endpoint. The traffic is completely unencrypted. Even if we configured the security group to limit access to those services to our public IP, we would still be vulnerable to some attacks, such as sniffing where the attacker will be able to capture the communication between your computer and AWS. To address this issue, we are going to create a VPN connection such that the entire communication between AWS and our computer will be encrypted.

In the end, the new architecture should look as follows:

We are going to implement this new network architecture.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset