AWS Network Architecture: Security and Compliance

This guide covers the architectural patterns and service configurations required to build AWS networks that satisfy rigorous security standards and regulatory compliance frameworks (e.g., HIPAA, PCI-DSS, GDPR).

Learning Objectives

After studying this material, you should be able to:

• Design isolated network segments using VPCs and subnets.
• Implement multi-layered defense strategies for inbound, outbound, and inter-VPC traffic.
• Automate network auditing and logging using AWS-native services.
• Architect for high availability and disaster recovery within compliance constraints.
• Differentiate between stateful and stateless filtering mechanisms.

Key Terms & Glossary

• VPC PrivateLink: A technology that provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet.
• Security Group: A virtual firewall for EC2 instances to control incoming and outgoing traffic (stateful).
• Network ACL (NACL): An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets (stateless).
• Transit Gateway: A network transit hub that simplifies inter-VPC connectivity and scales across thousands of VPCs and on-premises connections.
• AWS Artifact: A self-service portal for on-demand access to AWS’s compliance reports and online agreements.

The "Big Idea"

The core philosophy of AWS secure networking is Defense in Depth. Rather than relying on a single perimeter, security is baked into every layer: the network interface (Security Groups), the subnet boundary (NACLs), the VPC edge (Internet Gateways/WAF), and the inter-service communication (PrivateLink).

Formula / Concept Box

Hierarchical Outline

• I. Network Isolation & Segmentation
  • VPC & Subnets: Using CIDR blocks to isolate environments (Prod vs. Dev).
  • Multi-Account Strategy: Utilizing AWS Control Tower for centralized governance.
• II. Traffic Protection Patterns
  • Inbound Security: AWS WAF for Layer 7, Shield for DDoS, and Network Firewall for deep packet inspection.
  • Outbound Security: Using NAT Gateways and Forward Proxies to filter egress traffic.
  • Inter-VPC Security: Comparing VPC Peering (point-to-point) vs. Transit Gateway (hub-and-spoke).
• III. Monitoring and Logging
  • VPC Flow Logs: Capturing IP traffic information for auditing and troubleshooting.
  • Traffic Mirroring: Copying ENI traffic for inspection by security appliances.
  • AWS Config: Tracking resource configuration changes over time for compliance.

Visual Anchors

Inbound Traffic Security Flow

Three-Tier Architecture Isolation

\begin{tikzpicture}[node distance=1.5cm, every node/.style={draw, rectangle, align=center, minimum width=2.5cm}] \node (pub) [fill=green!10] {Public Subnet$Web Tier)}; \node (priv) [below of=pub, fill=blue!10] {Private Subnet$App Tier)}; \node (db) [below of=priv, fill=red!10] {Database Subnet$Data Tier)};

\end{tikzpicture}

Definition-Example Pairs

• Stateful Filtering: A firewall that remembers the state of active connections.
  • Example: If you allow an inbound request on port 80 to an EC2 instance, the Security Group automatically allows the response to leave the instance regardless of outbound rules.
• Untrusted Network (DMZ): A perimeter VPC or subnet that hosts internet-facing resources.
  • Example: Placing a fleet of NGINX reverse proxies in a public subnet to inspect traffic before forwarding it to the internal application VPC via a Transit Gateway.

Worked Examples

Scenario 1: Securing a Legacy Application

Problem: A legacy app requires access to an S3 bucket but compliance forbids the use of an Internet Gateway. Solution:

1. Create an Interface VPC Endpoint (powered by PrivateLink) or a Gateway VPC Endpoint for S3.
2. Update the VPC Route Table to point S3 traffic to the Endpoint.
3. Modify the S3 Bucket Policy to only allow access from that specific VPC Endpoint ID.

Scenario 2: Centralized Egress Inspection

Problem: An organization needs to ensure all outbound traffic from 50 VPCs is inspected for malware. Solution:

1. Deploy a Transit Gateway (TGW).
2. Create a "Security VPC" containing AWS Network Firewall or a 3rd party appliance.
3. Route all 0.0.0.0/0 traffic from spoke VPCs to the TGW, which then routes it to the Security VPC for inspection before hitting the NAT Gateway.

Checkpoint Questions

1. Which service provides a dashboard to monitor compliance across a multi-account AWS environment?
2. True or False: A Network ACL is applied at the EC2 instance level.
3. How does VPC PrivateLink differ from VPC Peering regarding IP address space?
4. What is the benefit of using AWS Artifact during a regulatory audit?

▶Click to reveal answers

1. AWS Control Tower (or AWS Config aggregators).
2. False (NACLs are at the Subnet level; Security Groups are at the Instance/ENI level).
3. PrivateLink does not require non-overlapping CIDRs and only exposes specific services, whereas Peering connects entire networks and requires unique IP ranges.
4. It provides the actual SOC, PCI, and ISO reports that auditors require to prove AWS infrastructure compliance.

Muddy Points & Cross-Refs

• Security Groups vs. NACLs: Most students struggle with the stateless nature of NACLs. Remember: if you open port 80 inbound in an NACL, you must also open the ephemeral port range (1024-65535) outbound for the response.
• Transit Gateway vs. Peering: Use Peering for simple, low-latency connections between two VPCs. Use Transit Gateway for complex "mesh" architectures or when connecting more than 10 VPCs.
• Further Study: See Chapter 8 of the Advanced Networking Study Guide for deep dives into Routing and TGW Route Tables.

Comparison Tables

Compliance Toolset