chapter five

5 Network Access Protection beyond the VPC

This chapter covers

Using VPC endpoints to privately connect to AWS services, which reduces your resource's exposure to the public internet.
Creating and connecting to your own VPC endpoint service to provide the same protections of VPC endpoints for calling your own applications.
Enabling AWS Web Application Firewall managed rule groups to easily defend yourself against the most common web application attacks.
Writing your own custom AWS Web Application Firewall rules to cover additional security risks specific to your application.
Understanding the distributed denial of service attack protections automatically applied by AWS Shield Standard, and the additional safeguards provided by AWS Shield Advanced.
Integrating third-party firewall products offered through the AWS Marketplace, to protect against sophisticated network-based attacks.

In the last chapter we examined the networking primitives available in AWS like VPCs, subnets, and security groups. We saw how we can use these to limit the traffic that we allow to our EC2 instances and other networked resources. In this chapter we'll take that even further, looking at more advanced ways of securing networks.

5.1 Securing Access To Services with VPC Endpoints and PrivateLink

5.1.1 What's Wrong With Public Traffic?

5.1.2 Using VPC Endpoints

5.1.3 Creating a PrivateLink Service

5.2 Blocking Malicious Traffic with AWS Web Application Firewall

5.2.1 Using WAF Managed Rules

5.2.2 Blocking Real-World Attacks with Custom AWS WAF Rules

5.2.3 When To Use AWS WAF

5.3 Protecting against distributed denial of service attacks using AWS Shield

5.3.1 Free Protection with Shield Standard

5.3.2 Stepping Up Protection with Shield Advanced

5.4 Integrating Third Party Firewalls

5.4.1 Web Application and Next-Gen Firewalls

5.4.2 Setting Up a Firewall From AWS Marketplace

5.5 Summary