Lab: Implementing Secure Network Architectures and Compliance Verification

This hands-on lab focuses on Domain 4.1 of the AWS Certified Advanced Networking Specialty (ANS-C01) exam. You will build a secure multi-tier network, implement traffic filtering, enable auditing through VPC Flow Logs, and verify security intent using the Reachability Analyzer.

[!WARNING] This lab involves creating resources that may incur costs if left running. Always perform the Teardown section at the end.

Prerequisites

An active AWS Account.
AWS CLI installed and configured with appropriate credentials.
IAM permissions: AdministratorAccess or a policy allowing EC2, VPC, CloudWatch, and Network Insights actions.
Target Region: us-east-1 (recommended).

Learning Objectives

Deploy a multi-tier VPC architecture with distinct security boundaries.
Configure Security Groups and Network ACLs (NACLs) to enforce the principle of least privilege.
Implement VPC Flow Logs for network auditing and compliance.
Validate network connectivity intent using AWS Reachability Analyzer.

Architecture Overview

We will deploy a simplified two-tier architecture: a Public Subnet for an Elastic Load Balancer (ELB) and a Private Subnet for an Application Server. Traffic will be strictly controlled and logged.

Loading Diagram...

Step-by-Step Instructions

Step 1: Create the VPC and Subnets

First, define the foundational network space and its sub-segments.

bash

# Create the VPC
VPC_ID=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query 'Vpc.VpcId' --output text)
aws ec2 create-tags --resources $VPC_ID --tags Key=Name,Value=Secure-Lab-VPC

# Create Public Subnet
PUB_SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 --query 'Subnet.SubnetId' --output text)

# Create Private Subnet
PRIV_SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.2.0/24 --query 'Subnet.SubnetId' --output text)

▶Console alternative

Navigate to VPC > Your VPCs > Create VPC. Select "VPC only". Provide Name and CIDR. Then go to Subnets > Create subnet, selecting your new VPC and defining the two CIDR blocks manually.

Step 2: Implement Least-Privilege Security Groups

We will create a Security Group for the Application Server that only allows traffic from a (hypothetical) Load Balancer Security Group.

bash

# Create App Security Group
APP_SG_ID=$(aws ec2 create-security-group --group-name AppServerSG --description "SG for App Server" --vpc-id $VPC_ID --query 'GroupId' --output text)

# Allow ingress on TCP 8080 (Limited to VPC CIDR for this lab exercise)
aws ec2 authorize-security-group-ingress --group-id $APP_SG_ID --protocol tcp --port 8080 --cidr 10.0.0.0/16

[!TIP] In a production environment, you should reference the Source Security Group ID of the Load Balancer rather than a CIDR range.

Step 3: Enable VPC Flow Logs for Compliance

For audit purposes, we must capture metadata about the traffic flowing through our network.

bash

# Create a CloudWatch Log Group
aws logs create-log-group --log-group-name /aws/vpc/secure-lab-flowlogs

# Create the Flow Log (Note: Requires an IAM Role; we will use a simplified direct command for this lab)
aws ec2 create-flow-logs --resource-ids $VPC_ID --resource-type VPC --traffic-type ALL --log-group-name /aws/vpc/secure-lab-flowlogs --deliver-logs-permission-arn <YOUR_FLOW_LOG_ROLE_ARN>

▶Console alternative

Select your VPC in the console, click the Flow logs tab, and click Create flow log. Set the destination to CloudWatch Logs and choose an appropriate IAM role.

Step 4: Verify Connectivity with Reachability Analyzer

Instead of "pinging" (which is often blocked), we use the Reachability Analyzer to mathematically prove if a path exists.

bash

# Create a path between two points (e.g., an Interface in Public and an Instance in Private)
# For this lab, we will simulate a path check
aws ec2 create-network-insights-path --source $PUB_SUBNET_ID --destination $PRIV_SUBNET_ID --protocol tcp --destination-port 8080

Checkpoints

VPC Check: Run aws ec2 describe-vpcs --vpc-ids $VPC_ID. Ensure the state is available.
Log Check: Navigate to CloudWatch Logs. Do you see the /aws/vpc/secure-lab-flowlogs group?
Reachability Check: In the VPC Console, under Network Analysis > Reachability Analyzer, select your path and click Analyze path. It should return "Reachable" based on your SG rules.

Teardown

To avoid ongoing charges, delete the resources in this order:

bash

# Delete Flow Logs
# (Get Flow Log ID first via aws ec2 describe-flow-logs)
aws ec2 delete-flow-logs --flow-log-ids <FLOW_LOG_ID>

# Delete Subnets
aws ec2 delete-subnet --subnet-id $PUB_SUBNET_ID
aws ec2 delete-subnet --subnet-id $PRIV_SUBNET_ID

# Delete VPC
aws ec2 delete-vpc --vpc-id $VPC_ID

# Delete Log Group
aws logs delete-log-group --log-group-name /aws/vpc/secure-lab-flowlogs

Troubleshooting

Issue	Possible Cause	Fix
Reachability Analyzer says "Unreachable"	NACL Deny Rule	Check if the default NACL has been modified to deny traffic.
Flow Logs not appearing	IAM Role Permissions	Ensure the IAM role has `logs:CreateLogStream` and `logs:PutLogEvents`.
VPC Deletion fails	Dependency Error	Ensure all instances, SGs (except default), and Subnets are deleted first.

Stretch Challenge

Task: Implement a "Deny-All" NACL rule on the Private Subnet for all traffic except return traffic from the Public Subnet, and then re-run the Reachability Analyzer. Observe how the tool identifies which specific rule (SG vs. NACL) causes a failure.

Cost Estimate

VPC/Subnets/SGs: Free.
VPC Flow Logs: $0.50 per GB of data collected (Minimal for this lab).
Reachability Analyzer: $0.10 per analysis.
CloudWatch Logs: $0.50 per GB ingested.
Total: Likely <$1.00 for the duration of this lab.

Concept Review

Security Controls Comparison

\begin{tikzpicture} [node distance=2cm] \draw[thick, fill=blue!10] (0,0) rectangle (4,4) node[pos=.5, align=center] {\textbf{Security Group}\Stateful\Instance Level}; \draw[thick, fill=green!10] (5,0) rectangle (9,4) node[pos=.5, align=center] {\textbf{Network ACL}\Stateless\Subnet Level}; \draw[->, thick] (4,2) -- (5,2) node[midway, above] {Layered}; \end{tikzpicture}

Feature	Security Group	Network ACL
Level	Instance (ENI)	Subnet
State	Stateful (Return traffic allowed)	Stateless (Explicit return rules needed)
Rules	Allow only	Allow and Deny
Order	All rules evaluated	Rules evaluated in number order