Amazon VPC best practices to kick security up a notch

Every new Elastic Compute Cloud instance resides in an Amazon VPC by default. IT teams must understand which configurations best protect their resources.

Many AWS customers use virtual networks without thinking about it, as Amazon puts every new EC2 instance into a...

default virtual private cloud network. And IT teams that avoid or ignore Amazon VPC best practices put their instances at risk.

An Amazon Virtual Private Cloud (VPC) is a private AWS environment that is isolated from the public internet and other AWS users' networks. Each VPC contains several key features:

  • A subnet with a user-controllable CIDR (Classless Inter-Domain Routing) block (address range) confined to one availability zone (AZ). Even though VPCs are limited to a single AWS region, they can span AZs. But each subnet is confined to a single AZ.
  • An Internet Gateway that connects the VPC to public networks.
  • A Virtual Private Gateway (VPW) that connects VPCs in different subnets -- intra-AWS traffic -- and a Customer Gateway (CW) that connects a private data center network to a customer's AWS environment. The link between a VPW and CW uses a Virtual Private Network tunnel over the public internet or an AWS Direct Connect private physical network.
  • A route table controls the direction of traffic on the various gateways -- to another subnet, a corporate network or the public internet.
  • A security group and access control lists (ACLs) that act as virtual firewalls controlling traffic moving in and out of the network that uses allow/deny rules based on the network address and port number.
  • A Dynamic Host Configuration Protocol and Domain Name System server that assigns IP addresses and names to Elastic Compute Cloud (EC2) instances in each subnet.

Benefits of Amazon VPC

Enterprises on AWS should plan and manage multiple VPCs because they provide many significant benefits, including network configuration control and security. Multiple VPCs give complex environments complete control over the network configuration, including a private address space with customizable CIDR blocks that include IP range, subnet mask, route tables, network gateways and security settings. CIDR blocks can range between /16 -- Class B with 64K total IP -- and /28 --16 total IPs.

Creating a default isolation from the public internet and a variety of policies that use network ACLs, routing rules and security groups also improves security. Finally, Amazon VPC supports multiple local interfaces per EC2 instance, including static private IPs. It can also pair VPCs within an enterprise to another region and to third parties -- both to Amazon VPC or private data center network.

Amazon VPC best practices

While VPCs are a form of software-defined networks, they aren't especially complicated. But IT professionals need knowledge of IP network fundamentals to properly use VPCs. Before venturing into the AWS Management Console to change the defaults or create new VPCs, follow Amazon VPC best practices.

Draft a plan for subnets and address space: Developers can't modify VPCs once they've been created and assigned; creating a CIDR block that's too small can result in running out of addresses. If an IT team only has 10 instances and figures the smallest /28 network will suffice, there will only be room for four more VMs, as two of the 16 available are taken by the gateway and broadcast addresses.

Conversely, if an IT team makes a VPC block larger than the private network that it's connected to, such as a /16 VPC connecting to a /24 private LAN, it is more difficult to ensure that the AWS addresses fit and are routable within the address space of the private network.

Don't always use standard IP address ranges: VPC sizes can be precisely tailored to specific needs. There's no reason to stick with standard /24 addressing if an IT team knows it will never have more than four database servers in a particular AZ. Use a smaller block instead and save addresses for other subnets.

Segment AWS environments: Avoid lumping disparate systems into one, big, flat network. Developers don't put production, staging and test/dev systems onto the same corporate network, so don't put them in the same VPC. Likewise, different application tiers probably don't have the same security policy -- web front ends and critical databases shouldn't live in the same subnet.

Implement a restrictive security policy: Firewalls block traffic by default, allowing only necessary traffic in. Amazon VPC best practices call for ACLs to follow the same default-deny policies. Route tables should only allow traffic between subnets that need to communicate.

Assign IP addresses to instances: It's easy to forget that EC2 instances in a VPC aren't automatically assigned a public IP address. Any VM that must communicate with the internet should use an elastic IP. An IT team can also use Elastic Load Balancing on the front end for this purpose.

Next Steps

Glitches on VPN impact Amazon VPC customers

Lambda gets boost from VPC, Python

How can you manage security and responsibility in AWS?

Dig Deeper on AWS security