How to create a Security Minded VPC in AWS

This article is just a brief overview of what you will need to do in order to create a secure VPC.

End Goal:

Network Diagram (drawn up by Robert J.):

+-----------------------------------------------------------------------------------------------------------+
|      +------------------------+    +-----------+    +------+    +-----------+     +-----------+           |
|      | 10.0.2.0/24            |    | Security  |    | NAT  |    | NACL      |     |           |           |
| +--> |                        | <- | Group     | <- |      | <- |           | <-- |           |           |
| |    | Web Hosting Network    |    |           |    | GW   |    | 0         |     |           |           |
| |    +------------------------+    +-----------+    +------+    +-----------+     |           |           |
| |                                                      |                          |           |           |
| |                                                      |                          |           | <-------+ |
| |    +------------------------+    +-----------+       |        +-----------+     | Public    |         | |
| |    | 10.0.1.0/24            |    | Security  |       |        | NACL      |     | Routing   |         | |
| +--> |                        | <- | Group     | <---| | |----  |           | <-- | Table     |         | |
| |    | Bastion Network        |    |           |       |        | 1         |     |           |       Internet
| |    +------------------------+    +-----------+       |        +-----------+     +-----------+       Gateway
| |             |       |                                +----------------------------- >+                | |
| |            \ /     \ /                                                               |                | |
| |    +------------------------+    +-----------+                +-----------+     +-----------+         | |
| |    | 10.0.0.0/24            |    | Security  |                | NACL      |     | Internal  |         | |
| +<-- |                        | <- | Group     |  <-----------  |           | <-- | Routing   | |X|-----+ |
|      | Internal Network       |    |           |                | 2         |     | Table     |           |
|      +------------------------+    +-----------+                +-----------+     +-----------+           |
+-----------------------------------------------------------------------------------------------------------+

Note

Subnet configurations can be between /16 and /28 a /24 subnet will have 251 Usable subnet addresses (256 - 5* addresses).  Whereas a /16 network will have 65531 addresses (65536 - 5* addresses).  

* AWS by default reserved 5 IPs per subnet.

Example

If 10.0.0.0/24 was implemented the reserved IPs would be as follows:

\\ 10.0.0.0: Network address.
\\ 10.0.0.255: Network broadcast address. 

\\ 10.0.0.1: VPC router
\\ 10.0.0.2: DNS
\\ 10.0.0.3: Reserved for future use

Access Controls:

Recommended Network Access Control Lists (NACLs)

NACL 0  
------

  Inbound
  =======
    100         SSH (22)        <HOME_IP>/32        ALLOW
    101         SSH (22)        10.0.2.0/24         ALLOW
    200         HTTP (80)       0.0.0.0/0           ALLOW
    300         HTTPS (443)     0.0.0.0/0           ALLOW
    9999        4000-61000      0.0.0.0/0           ALLOW
    *           ALL Traffic     0.0.0.0/0           DENY

  Outbound
  ========
    100         ALL Traffic     0.0.0.0/0           ALLOW
    *           ALL Traffic     0.0.0.0/0           DENY

NACL 1  
------

  Inbound
  =======
    100         SSH (22)        <HOME_IP>/32        ALLOW
    101         SSH (22)        10.0.2.0/24         ALLOW
    9999        4000-61000      0.0.0.0/0           ALLOW
    *           ALL Traffic     0.0.0.0/0           DENY

  Outbound
  ========
    100         ALL Traffic     0.0.0.0/0           ALLOW
    *           ALL Traffic     0.0.0.0/0           DENY

NACL 2  
------

  Inbound
  =======
    100         SSH (22)        10.0.1.0/24         ALLOW
    9999        4000-65535      0.0.0.0/0           ALLOW
    *           ALL Traffic     0.0.0.0/0           DENY

  Outbound
  ========
    100         ALL Traffic     0.0.0.0/0           ALLOW
    *           ALL Traffic     0.0.0.0/0           DENY

NOTE 1: <HOME_IP>/32 is a trusted IP or network (e.g. 123.45.67.89/32 or 123.32.0.0/12)  
NOTE 2: Rule 9999 is for Ephemeral Ports connectivity  
NOTE 3: This assumes a Linux only environment with no communication to the internal network for N-Tiered Architecture.  If you wished to run a database on your private subnet you will have to edit the appropriate NACLs.  

Procedure:

This is broken up into 6 parts:

  • Creating a new VPC
  • Creating Subnets
  • Configuring an Internet Gateway
  • Configuring Routing Tables
  • Setting up NACLs
  • Configuring a NAT Gateway (for patching of a server on internal networks).

Creating a new VPC

  1. Navigate to an unused Region for testing by selecting a region name next to your name. In this case, US West (N. California) (AKA: us-west-1), was selected:

  2. Navigate to Services > VPC:

    • The resulting page is known as the VPC Dashboard
  3. Select Your VPCs in your VPC Dashboard:

    • In this example the default VPC for this Region has been removed. It is highly recommended that you do not do this unless if you know exactly what you are doing.
  4. Select Create VPC as seen in the previous screenshot and a window resembling the following will be displayed:

    • The Name tag can be anything that you deem fit as well as the IPv4 CIDR block, however, your IPv4 CIDR block will have to be larger than the subnets that you are going to create later. For this tutorial, it is recommended that you use 10.0.0.0/16, although other private IPv4 subnets can be used here as long as they are /16 or smaller
      • For example: 100.64.0.0/16 or even 100.127.0.0/16 would be acceptable as they are part of 100.64.0.0/10, a private network reserved for carrier-grade NAT).
    • Leave IPv6 CIDR block and Tenancy at their default respective values, as shown above.
    • Select Yes, Create
  5. The result should be a newly created VPC as seen below:

    • You will now need to allocate subnets, from your selected IPv4 block, as described earlier.

Creating Subnets

  1. Navigate to Subnets under the VPC Dashboard:

  2. Select Create Subnet and you should see the following:

    • At this point, we are going to create 3 new subnets:
      • Web Hosting Network - 10.0.2.0/24
        • This will be accessible to the world over HTTP and HTTPS
        • Control Ports are only accessible from select known good locations like an office or home network.
        • This cannot access other Networks
        • Example:
          • Wordpress Servers
      • Bastion Network - 10.0.1.0/24
        • This will be accessible from certain select locations.
        • Control Ports are only accessible from select known good locations like an office or home network.
        • This can access Internal Network
        • Examples:
          • Bastion Hosts (AKA Jump Hosts)
      • Internal Network - 10.0.0.0/24
        • This will host AWS assets deemed too risky to leave public facing
        • Control Ports are only accessible from the Bastion Network
        • This can access all other networks in this example for orchestration purposes.
        • Examples:
          • Orchestration Control Servers (Ansible, Puppet, or Chef)
          • Databases Servers (Recommend new Subnet with different NACLs)
          • Private Repositories (Recommend new Subnet with different NACLs)
          • Servers hosting other sensitive data
  3. Create the three networks described above by selecting the following options:

    • Set Name tag to a name that makes sense for the network that you are creating.
    • Select the VPC that was just created in the last procedure to ensure that this subnet is associated with the correct VPC
    • Select the Availability Zone to a zone that you would prefer to have. This is extremely important for High Availability Configurations however, this is not going to be touched on in this basic homebrew VPC configuration tutorial since High Availability Configurations are not a focus topic in this tutorial.
    • Set IPv4 CIDR block to the previously specified values.
  4. After the VPC configurations are completed you should be left with the following:

Configuring an Internet Gateway

  1. Select Internet Gateways in your VPC Dashboard:

  2. Select Create Internet Gateway:

  3. Name your Internet Gateway what you would like then select Yes, Create.

  4. Ensure that your Internet Gateway shows up as you have named it, with a state of detached

  5. Select Attach to VPC by right clicking on the Internet Gateway and Select the VPC that we created earlier then select Yes, Attach:

    • Please note that at this point you will still need to properly configure routing tables before your instances will be able to access the internet.

Configuring Routing Tables

There will be two types of routing tables for all intents and purposes with this VPC those that allow inbound internet traffic and those that do not. This portion of this tutorial will cover creating a second Routing Table and associating the internal subnet with this routing table before connecting the Internet Gateway to default routing table.

  1. To create a new Routing Table select Route Tables under VPC Dashboard:

    • By default when a VPC is created one routing table is created as well, so you should not that there is already an existing Route Table.
  2. Select Create Route Table to create a second Routing Table. In this tutorial, this new Route Table is labeled Internal Route Table but this could be anything that makes sense to the user.

  3. Now you will need to Associate Subnets with each routing table. Select the Desired Subnet and navigate to the Subnet Associations tab at the bottom of the screen then select Edit:

  4. Select The appropriate subnet for the selected routing table:
    Internal Route Table


    Default Route Table

    • Note: The Internal Route Table should be associated with the Internal Network Subnet. Whereas the default Route Table that was created by Amazon should be associated with the Bastion Network and the Web Hosting Network Subnets
    • Click Save to save your Route configurations.
    • After associating networks correctly you should see something similar to the following:
      • Note that the explicit subnet association is 1 and 2.
  5. Associate the Internet Gateway with the public Routing table by:

    • Selecting the Route Table that was created with your routing table, the selecting the Routes tab and Edit then Select Add another route:
    • Click Save to save changes

Setting up NACLs

Please note from the earlier VPC diagram we are going to configure 3 specific ACLs. One for each of the following: Private Network, Bastion Network, and Web Hosting Network.

  1. Navigate to Network ACLs under VPC Dashboard in the Security section:

    • Note: That one network ACL was already created by default.
  2. Name the existing NACL as NACL 0 or something more meaningful like Web Hosting NACL.

  3. Create Two more NACLs by clicking Create Network ACL. The resulting Dialog should look as follows:

    • Set the Name tags to NACL 1 or Bastion NACL, and NACL 2 or Internal NACL
    • After creation you should not something similar to the following:
  4. You will need to associate subnets accordingly. NACL 0 or Web Hosting NACL should be associated with the Web Hosting Network subnet that was created earlier and so on for NACL 1 and NACL 2. This can be done by selecting the NACL and navigating to the Subnet Associations at the bottom, selecting Edit, then the correct subnet, and clicking Save:

  5. After this is done Inbound Rules and Outbound Rules will need to be edited to reflect those previously defined in the Access Controls section of this document (See above):

Configuring a NAT Gateway

This is a necessary step to allow server on an internal network to get necessary security patches.

  1. Create a NAT Gateway by navigating to NAT Gateways under your VPC Dashboard, then select Create a NAT Gateway:

  2. Select a publicly routable Subnet either your Web Hosting Network or your Bastion Network will work in this instance since they are both using the same Route Table that has access to the internet via an Internet Gateway, then select Create New EIP to assign a new Elastic IP to this NAT Gateway before selecting Create a NAT Gateway.

  3. You will then be prompted to create a new Route Tables route. Select Edit Route Tables.

  4. Select the Route Table that was created before (Internal Route Table), then select the Routes Tab, Select Edit, and add a routing rule to allow access to the newly created NAT:
    .

Congratulations!

You have created a VPC with the following configuration:

+-----------------------------------------------------------------------------------------------------------+
|      +------------------------+    +-----------+    +------+    +-----------+     +-----------+           |
|      | 10.0.2.0/24            |    | Security  |    | NAT  |    | NACL      |     |           |           |
| +--> |                        | <- | Group     | <- |      | <- |           | <-- |           |           |
| |    | Web Hosting Network    |    |           |    | GW   |    | 0         |     |           |           |
| |    +------------------------+    +-----------+    +------+    +-----------+     |           |           |
| |                                                      |                          |           |           |
| |                                                      |                          |           | <-------+ |
| |    +------------------------+    +-----------+       |        +-----------+     | Public    |         | |
| |    | 10.0.1.0/24            |    | Security  |       |        | NACL      |     | Routing   |         | |
| +--> |                        | <- | Group     | <---| | |----  |           | <-- | Table     |         | |
| |    | Bastion Network        |    |           |       |        | 1         |     |           |       Internet
| |    +------------------------+    +-----------+       |        +-----------+     +-----------+       Gateway
| |             |       |                                +----------------------------- >+                | |
| |            \ /     \ /                                                               |                | |
| |    +------------------------+    +-----------+                +-----------+     +-----------+         | |
| |    | 10.0.0.0/24            |    | Security  |                | NACL      |     | Internal  |         | |
| +<-- |                        | <- | Group     |  <-----------  |           | <-- | Routing   | |X|-----+ |
|      | Internal Network       |    |           |                | 2         |     | Table     |           |
|      +------------------------+    +-----------+                +-----------+     +-----------+           |
+-----------------------------------------------------------------------------------------------------------+

Please look into editing this further to suit your specific needs. This is really just a very rough outline on how to take your first steps with manual VPC configurations with a security mindset.