In Cloud terms a VPN, or Virtual Private Network, is a network connection between your Amazon resources within an AWS VPC and data or services in your own local data center. Such architectures are often called hybrid cloud deployments because part of their infrastructure lives in the Amazon cloud [or a 3rd party data center not controlled by your company]; and part resides at your physical location. To configure and establish the connectivity needed for such a network you’ll need to be able to identify your customer gateway.
The customer gateway is usually a physical firewall device like a Juniper sitting at the edge of your local network. You’ll also need to create the VPN itself, a Virtual Private Gateway VPG with its routing rules and to associate the VPG with your VPC. Even if you don’t want to split your data and applications between the AWS cloud and your local data center, you might benefit from a faster connection to Amazon allowing greater security, a much faster transfer speeds between your office and your AWS resources.
A VPC gives you complete control over your virtual network, starting with defining your subnets, the IP addressing scheme, configuring routing tables and network gateways. Another way to consider a VPC is that it’s similar to your traditional private data center or corporate network, and by extending out your corporate or home network, you are actually creating a hybrid cloud where you are able to access resources both in the VPC and on your corporate or home network.
- Provides you with a multitude of connectivity options to address the needs of your business and applications, such as public and private subnets, connecting to your data center, VPC peering, VPN connections, or just connecting to the internet.
- It provides you with the ability to define your own subnets and IP addressing scheme, control routing through the use of custom route tables, as well as being able to assign multiple IP addresses to your instances, if required.
- Advanced security. Through the application of a layered security model, and the use of network ACLs to control ingress and egress filtering of traffic and security groups, you total control from the subnet level, all the way down to the instance level.
- The choice of single tenant hardware, which are instances that run on dedicated hardware assigned to a single customer for additional isolation.
Architecting and Designing a VPC
VPCs can be quite complicated to set up in AWS, or any other IaaS/PaaS cloud center. A few key areas to consider when building your VPC architecture are the following:
- Security and audit requirements,
- Risk and separation,
- Application isolation,
- Differing environments [production and development testing].
- Specific Tenancy requirements
- Business requirements [throughput, # of users, types of data etc]
This is by far the easiest to deploy. You can use subnets, security groups and network ACLs to secure a single VPC. The benefits of the single VPC are that it’s simple to deploy and cost control. The demerits to a single VPC are:
- no role separation
- a single problem could potentially affect a large number of resources.
- low isolation, security and audit
The other extreme of having a single VPC is to have hundreds of VPCs, and you can think of this as having a dedicated data center per application or role. The benefits of having hundreds of VPCs is very strong isolation and role separation.
The disadvantages of multiple VPCs are:
- management complexity,
- networking complexity
- Data center or AWS limits.
The best option for most organizations would be to find a balance between the single VPC and hundreds of VPCs, focusing on the key requirements to take into account role separation, cost control, AWS resource limits, isolation, management and complexity.
You can leverage the multiple constructs of AWS through the use of accounts, VPCs and security groups, whilst adhering to existing limits and IAM access control. One of the most important and time-consuming things when designing your VPC is to consider the network addressing scheme and the IP address space for the VPC, as the CIDR can’t be modified after it has been created.
Items to worry about:
You need to work closely with your network team in defining the IP address space, and consider the following during the process. Consider the expansion of the AWS region. Subnets can’t span availability zones. Consider future connectivity requirements to internal networks, and moving from VPN to AWS direct connect for example, and peering. Avoid overlapping IP address spaces. So consider expansion to internal networks or other business partners, even if not a requirement today.
When you’re building your VPC, you need to consider how to secure the resources that you will be hosting in it. A best practice is to secure your infrastructure, utilizing multiple layers of defense and segmentation. By taking this approach, you’re able to further secure your environment through the use of security groups and network ACLs at the infrastructure and subnet levels.
Segmentation is related to two different concepts, namely network segmentation and security zoning. Network segmentation is simply the isolation of one network from another, which requires any routed traffic between these networks to traverse a security system, such as a firewall. This can be accomplished in AWS through the use of a VPC to create an isolated network, security groups to control access to instances as they are stateful firewalls that enable rules in both directions for every allowed session. Network ACLs that provide stateless management of IP traffic on a per source destination IP address basis.
Security zoning is creating a group of system components which have similar security levels and a group of common controls, such as authorization and access control, audit logging to meet requirements for event analysis and correlation and tracking of incidents, data classification of the content. For example, restricted, confidential, PII, personally identifiable information. Management infrastructure.
Security best practices:
- For large scale deployments, use a layered security model and apply network security at each of the layers.
- Always use security groups.
- Supplement security groups with network ACLs.
- Use IAM and ensure separation of duties for security groups and network ACLs.
- Use AWS direct connect or IPSec for connections to internal networks or other sites.
- Protection of data in transit.