AWS networking is probably the most important thing that people don’t want to think about. While networking on the cloud is similar to traditional on-premise, there are a few key differences. Here’s a few terms that people may or may not be familiar with:
VPC – Stands for virtual private cloud. Essentially it’s a managed network, all your network resources must live in a VPC. You can have multiple VPCs per account and even have them talk with one another (so long as the IP addresses don’t overlap)
Internet Gateway (IGW) – An IGW is a virtual appliance that routes connections from your VPC to the public internet. It’s more an abstract concept than an actual service as you can’t manually configure anything on it, you just send traffic there and pull logs from it.
Nat Gateway – A NAT gateway is a managed NAT. It has a public IP and routes its traffic through the internet, other instances can connect to the NAT to reach out to the internet without needing to expose themselves to incoming connections.
Availability Zone (AZ) – In AWS an availability zone is a separate distinct data center located nearby but in a different area from other AZs. Splitting an application between AZs is a good strategy for redundant and highly available applications.
Public/Private/Data subnet – A public subnet is one that allows traffic from the public internet. A private subnet forces traffic through a NAT. A data subnet does not allow internet traffic at all.
Service Endpoints – Service endpoints allow traffic to pass to AWS services without needing to go over the public internet. They can increase security and reduce bandwidth costs.
NACLs – Network Access Control lists are a set of rules about what traffic is allowed in a subnet.
Security Groups – Security groups are firewall rules that define traffic between and to AWS resources, they are more flexible than NAcls.
VPC-Peering – Peering is the process of allowing two VPCs to talk to one another.
Transit Gateway – Transit gateway is an AWS service that lets multiple VPCs communicate with each other by routing through a central location, which is easier than having to peer every VPC to every other VPC.
There’s been a ton of coverage of the recently discovered Capital One breach. I’m generally very skeptical when AWS security makes the news; so far, most “breaches” have been a result of the customer implementing AWS services in an insecure manner, usually by allowing unrestricted internet access and often overriding defaults to remove safeguards (I’m looking at you, NICE and Accenture and Dow Jones!). Occasionally, a discovered “AWS vulnerability” impacts a large number of applications in AWS – and it also impacts any similarly-configured applications that are *not* in AWS (see, for example, this PR piece…um,…Read More