Implementing Security Between Network Boundaries

This guide explores the architectural patterns and security controls required to protect data as it moves across various network boundaries in AWS, specifically focusing on the requirements for the AWS Certified Advanced Networking Specialty (ANS-C01).

---

Learning Objectives

After studying this material, you should be able to:

• Design untrusted network (DMZ) and perimeter VPC architectures.
• Differentiate between stateful and stateless filtering mechanisms (Security Groups vs. NACLs).
• Implement secure inter-VPC traffic patterns using Transit Gateway and VPC Peering.
• Configure VPC Endpoint policies and PrivateLink for secure, private service access.
• Identify appropriate mitigation strategies for identified network threats.

---

Key Terms & Glossary

• North-South Traffic: Traffic moving into or out of a data center or VPC (e.g., Internet to Web Server).
• East-West Traffic: Traffic moving laterally between internal resources (e.g., App Server to Database).
• Stateless Filtering: A firewall that evaluates each packet individually without memory of previous packets (e.g., NACL).
• Stateful Filtering: A firewall that tracks the state of connections and automatically allows return traffic for established sessions (e.g., Security Group).
• DMZ (Demilitarized Zone): A physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network.

---

The "Big Idea"

In cloud networking, security is no longer just a "perimeter" issue. Modern AWS security relies on Micro-segmentation and Defense-in-Depth. Instead of one giant wall, we build a series of small, interlocking boundaries at the instance level (Security Groups), the subnet level (NACLs), and the VPC level (Transit Gateway/Peering), ensuring that a breach in one area does not compromise the entire architecture.

---

Formula / Concept Box

Comparison of Filtering Controls

---

Hierarchical Outline

1. Architectural Patterns
   • Untrusted Network (DMZ): Hosts public resources; isolates the internal protected network.
   • Perimeter VPC: A centralized VPC acting as a security gateway for all other VPCs.
   • Hub-and-Spoke: Central hub (Transit Gateway) manages routing/security between spoke VPCs.
   • Three-Tier Architecture: Separation of Web, App, and Database tiers into distinct subnets.
2. Securing Inbound & Outbound Flows
   • Inbound: AWS WAF (L7), AWS Shield (DDoS), AWS Network Firewall.
   • Outbound: Proxies, NAT Gateways, Gateway Load Balancers (GWLB).
3. Inter-VPC Security
   • VPC Peering: Direct private connection; uses SGs for security.
   • Transit Gateway: Centrally managed route tables and security policies.
   • PrivateLink: Connects services privately without traversing the public internet.

---

Visual Anchors

Hub-and-Spoke Architecture

This diagram illustrates how a central hub (Transit Gateway) mediates traffic between boundaries.

Layered Security (Defense in Depth)

This TikZ diagram represents the concentric layers of security surrounding a resource.

---

Definition-Example Pairs

• Perimeter VPC: A dedicated VPC that provides a centralized entry and exit point for all traffic.
  • Example: An organization uses a Perimeter VPC containing Palo Alto firewalls to inspect all traffic coming from the Internet before routing it via Transit Gateway to the actual application VPCs.
• VPC Endpoint Policy: An IAM resource policy attached to a VPC endpoint to control which principals can access the service.
  • Example: Creating a policy for an S3 Gateway Endpoint that allows access only to a specific bucket, preventing data exfiltration to personal S3 accounts.
• Threat Modeling: The process of identifying assets, potential threats, and mitigation strategies.
  • Example: Identifying that an unpatched web server is a risk and mitigating it by placing it behind an AWS WAF and an Auto Scaling group for easy patching/replacement.

---

Worked Examples

Scenario: Securing a Multi-Tier Application

Problem: You have a Web tier that needs public access and a Database tier that must never be accessed from the Internet.

Step-by-Step Solution:

1. VPC Setup: Create a VPC with public and private subnets.
2. Public Subnet: Place the Web Server here. Attach an IGW.
3. Private Subnet: Place the DB Server here. Remove any routes to the IGW.
4. Web Security Group:
   • Inbound: Allow Port 443 (HTTPS) from 0.0.0.0/0.
   • Outbound: Allow Port 3306 (MySQL) to the DB Security Group ID.
5. DB Security Group:
   • Inbound: Allow Port 3306 from the Web Security Group ID.
   • Outbound: Deny all (or limit to specific updates via NAT Gateway).
6. NACLs: Add a rule to the private subnet NACL to explicitly deny any traffic from the IGW's CIDR range as an extra layer of defense.

---

Checkpoint Questions

1. Why is an SG considered stateful and an NACL stateless?
2. If you have a Transit Gateway, where should you place your Network Firewall for centralized inspection?
3. How does PrivateLink provide more security than a standard Internet Gateway for accessing AWS services?
4. What is the main difference between a DMZ and a Perimeter VPC?

[!TIP] Answer Hint: For Question 1, remember that SGs automatically allow return traffic, whereas NACLs require you to explicitly write rules for both the request and the response.

---

Muddy Points & Cross-Refs

• SG vs. NACL Overlap: Students often struggle with why both are needed. Think of the SG as the "personal bodyguard" for the instance and the NACL as the "security gate" for the whole neighborhood (subnet).
• VPC Peering Limits: VPC Peering is non-transitive. If VPC A is peered to B, and B to C, A cannot talk to C. For transitive routing, you must use Transit Gateway.
• Deep Dive: See Chapter 8 for more on Transit Gateway and Chapter 4 for Load Balancing details.

---

Comparison Tables

Securing Different Traffic Flows