6 Network access protection beyond the VPC

 

This chapter covers

  • Connecting to AWS services via VPC endpoints
  • Creating custom VPC endpoint services
  • Writing custom firewall rules
  • Understanding AWS Shield protections
  • Integrating third-party firewalls

In the last chapter we examined the networking primitives available in AWS, including VPCs, subnets, and security groups. We saw how we can use these to limit the traffic we allow to our EC2 instances and other networked resources. In this chapter we’ll take that even further, looking at more advanced ways of securing networks.

One of the benefits of VPC peering, which we talked about in chapter 5, is that it allows you to route traffic between resources without going over the public internet. In this chapter we’ll talk more about the issues around routing traffic over the public internet and two additional ways of avoiding it.

The first way deals with privately connecting to an AWS service from one of your resources using VPC endpoints. An example would be if you had an EC2 instance that called another AWS service like SQS. Figure 6.1 shows how VPC endpoints fit into the network in that situation, allowing a private instance to connect to various AWS services.

Figure 6.1 Interface VPC endpoints allow you to access AWS services, such as API Gateway, Kinesis, or SQS, from a private subnet. No internet gateway is required.

6.1 Securing access to services with VPC endpoints and PrivateLink

6.1.1 What’s wrong with public traffic?

6.1.2 Using VPC endpoints

6.1.3 Creating a PrivateLink service

6.2 Blocking malicious traffic with AWS Web Application Firewall

6.2.1 Using WAF managed rules

6.2.2 Blocking real-world attacks with custom AWS WAF rules

6.2.3 When to use AWS WAF

6.3 Protecting against distributed denial of service attacks using AWS Shield

6.3.1 Free protection with Shield Standard