BrainyBeeBrainyBee
Study Guide1,150 words

AWS VPC Security Components & Architecture Study Guide

Designing VPC architectures with security components (for example, security groups, route tables, network ACLs, NAT gateways)

AWS VPC Security Components & Architecture

Designing a secure Amazon Virtual Private Cloud (VPC) requires a layered approach, often called Defense in Depth. This guide covers the critical components used to isolate resources, control traffic flow, and secure communication both within and outside the AWS cloud.

Learning Objectives

After studying this guide, you should be able to:

  • Determine the correct CIDR prefix lengths (/16 to /28) for VPCs and subnets based on IP requirements.
  • Differentiate between the stateful nature of Security Groups and the stateless nature of Network Access Control Lists (NACLs).
  • Design routing logic using Route Tables to create public and private subnets.
  • Configure NAT Gateways to provide secure, outbound-only internet access for private resources.
  • Evaluate the impact of Availability Zone (AZ) failures on VPC architecture.

Key Terms & Glossary

  • VPC (Virtual Private Cloud): A logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
  • Subnet: A range of IP addresses in your VPC. A subnet resides in a single Availability Zone.
  • CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and IP routing. (Example: 10.0.0.0/16).
  • Security Group (SG): A virtual firewall for your EC2 instances to control inbound and outbound traffic at the ENI (Elastic Network Interface) level.
  • Network ACL (NACL): An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
  • Internet Gateway (IGW): A horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
  • NAT Gateway: A Network Address Translation service that allows instances in a private subnet to connect to services outside your VPC but prevents external services from initiating a connection with those instances.

The "Big Idea"

[!IMPORTANT] The "Big Idea" of VPC security is Layered Isolation. Security in a VPC isn't just one firewall; it is a combination of routing (Route Tables), subnet-level filtering (NACLs), and instance-level filtering (Security Groups). By placing resources in private subnets with no direct route to the Internet Gateway, you drastically reduce the attack surface of your architecture.

Formula / Concept Box

ConceptRule / Specification
VPC CIDR RangeMinimum: /28 (16 IPs)
AWS Reserved IPsAWS reserves the first 4 and last 1 IP addresses in every subnet.
Security GroupStateful: If you send a request, the response is allowed regardless of rules.
Network ACLStateless: You must explicitly allow both inbound and outbound traffic.
Public SubnetRequires a route to an Internet Gateway (IGW) in its route table.
Private SubnetTypically uses a NAT Gateway for outbound internet access.

Visual Anchors

Traffic Flow Architecture

This diagram illustrates how traffic moves from a private instance through a NAT Gateway to the Internet.

Loading Diagram...

Security Component Hierarchy

This TikZ diagram represents the nested layers of security within an AWS Region.

Compiling TikZ diagram…
Running TeX engine…
This may take a few seconds

Hierarchical Outline

  • I. VPC Foundational Components
    • CIDR Blocks: Allowed prefix lengths range from /16 (large) to /28 (small).
    • Subnets: Subnets are tied to specific Availability Zones (AZs). If an AZ fails, the subnet fails.
    • IP Allocation: AWS reserves 5 IPs per subnet for internal networking tasks (DHCP, DNS, etc.).
  • II. Connectivity and Routing
    • Internet Gateway (IGW): Required for public subnets; performs NAT for instances with public IPs.
    • Route Tables: Every subnet must be associated with a route table. The Main Route Table is the default.
    • NAT Gateway: Resides in a Public Subnet and requires an Elastic IP (EIP). It allows private instances to reach the internet (e.g., for software patches).
  • III. Security Filtering
    • Security Groups: Default is to deny all inbound and allow all outbound. Rules are only "Allow."
    • Network ACLs: Applied at the subnet level. Evaluates rules in numerical order (lowest first). Can have "Deny" rules.

Definition-Example Pairs

  • Stateful Firewall: A firewall that tracks the state of active connections and allows return traffic automatically.
    • Example: You allow inbound SSH (Port 22) in a Security Group. The response from the server back to your computer is automatically allowed even if no outbound rule exists.
  • Stateless Firewall: A firewall that treats every packet in isolation; it does not remember previous packets.
    • Example: In a NACL, if you allow inbound traffic on Port 80, you must also create an outbound rule for the Ephemeral Port Range (usually 1024-65535) to allow the response to leave the subnet.
  • VPC Peering: A networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses.
    • Example: A "Shared Services" VPC containing central logging tools connected to multiple "App" VPCs. Note: It does not support transitive routing.

Worked Examples

Scenario: Creating a "Web-to-Database" Architecture

Goal: Secure a two-tier application where the Web Server is public-facing and the Database is private.

  1. VPC Creation: Create a VPC with CIDR 10.0.0.0/16.
  2. Public Subnet:
    • CIDR 10.0.1.0/24.
    • Attach an Internet Gateway.
    • Route Table: Add a route 0.0.0.0/0 -> igw-xxxxxx.
  3. Private Subnet:
    • CIDR 10.0.2.0/24.
    • Route Table: Add a route 0.0.0.0/0 -> nat-xxxxxx (NAT Gateway located in the Public Subnet).
  4. Security Group Logic:
    • Web SG: Allow Inbound Port 80/443 from 0.0.0.0/0.
    • DB SG: Allow Inbound Port 3306 (MySQL) only from the Security Group ID of the Web SG.

[!TIP] Referencing a Security Group ID as a source in another Security Group is the best practice for limiting access between tiers without managing changing IP addresses.

Checkpoint Questions

  1. Question: How many usable IP addresses are available in a /24 subnet?
    • Answer: 251 (2(3224)52^{(32-24)} - 5 reserved by AWS).
  2. Question: If an instance in a private subnet needs to download a Linux update, which component must be configured in the Public Subnet?
    • Answer: A NAT Gateway (or NAT Instance).
  3. Question: True or False: A single Network ACL can be associated with multiple subnets.
    • Answer: True. However, a single subnet can only be associated with one NACL at a time.
  4. Question: Why does a NAT Gateway not have a Security Group attached to it?
    • Answer: Because it is a managed service that does not use a standard Elastic Network Interface (ENI) in the way EC2 does; it is secured via NACLs on its subnet.
  5. Question: Does VPC Peering support transitive routing (VPC A -> VPC B -> VPC C)?
    • Answer: No. You must create a direct peering connection between VPC A and VPC C.
All AWS Certified Solutions Architect - Associate (SAA-C03) Study Resources

Ready to study AWS Certified Solutions Architect - Associate (SAA-C03)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free