• Network firewalls built into Amazon VPC.
  • TLS encryption in transit across all services.
  • Private or dedicated connections into your data centre

Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC)

  • enables you to launch AWS resources into a virtual network that you’ve defined.
  • It resembles a traditional network in data centers
  • Benefits of using the scalable infrastructure of AWS.
  • Logically isolated from other virtual networks in the AWS Cloud.
  • Launch AWS resources, like EC2 instances, into VPC.
  • Use a public subnet for resources that must be connected to the internet
  • Use a  private subnet for resources that won’t be connected to the internet.
  • You can specify
    • an IP address range
    • add subnets
    •  associate security groups
    • configure route tables.

Accessing the Internet

  • Default VPC includes an internet gateway, and each default subnet is a public subnet.
  • Each instance that you launch into a default subnet has a private IPv4 address and a public IPv4 address.
  • These instances can communicate with the internet through the internet gateway.
  • An internet gateway connect to the internet through the Amazon EC2 network edge.
  • By default, each instance launched into a nondefault subnet has a private IPv4 address, but no public IPv4 address, unless assigned or modify the subnet’s public IP address attribute.
  • These instances can communicate with each other, but can’t access the internet.
  • Can enable internet access for an a nondefault subnet by attaching an internet gateway to its VPC and associating an Elastic IP address with the instance.
  • Amazon VPC provides a web-based user interface, the Amazon VPC console.
  • Access the Amazon VPC console by signing into the AWS Management Console and choosing VPC.

Infrastructure Resilience

  • Technologies built from the ground up for resilience in the face of DDoS attacks.
  • Services can be used in combination to automatically scale for traffic load.
  • Autoscaling, CloudFront, Route 53 can be used to prevent DDoS.

AWS Shield

  • It is a managed DDoS protection service
  • Available in two tiers: Standard and Advanced.
  • AWS Shield Standard applies always-on detection and inline mitigation techniques like deterministic packet filtering and priority-based traffic shaping. It is included automatically and transparently to Elastic Load Balancing load balancers, Amazon CloudFront distributions, and Amazon Route 53 resources at no additional cost.
  • AWS Shield Advanced includes access to near real-time metrics and reports, for extensive visibility into infrastructure layer and application layer DDoS attacks.

AWS WAF

  • It is a web application firewall to protect web applications from common web exploits.
  • It defines customizable web security rules to control which traffic accesses web applications.
  • Rules use conditions to target specific requests and trigger an action,
  • It helps you to identify and block common DDoS request patterns and effectively mitigate a DDoS attack.

Amazon Route 53

  • It is a highly available and scalable DNS service
  • Designed to route end users to infrastructure running inside or outside of AWS.
  • It can manage traffic globally through a variety of routing types, and provides out-of-the-box shuffle sharding and Anycast routing capabilities to protect domain names from DNS-based DDoS attacks.

Amazon CloudFront

  • Distributes traffic across multiple edge locations
  • Filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts.
  • Supports geoblocking, to prevent requests from particular geographic locations.

Elastic Load Balancing

  • Distributes incoming application traffic across multiple targets like , such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, and multiple Availability Zones, to minimizes overloading a single resource.
  • Elastic Load Balancing, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances.
  • It is a single point of management
  • It can serve as a line of defense between the internet and private EC2 instances.
  • It includes the Application Load Balancer, for load balancing of HTTP and HTTPS traffic and also directly supports AWS WAF.

VPCs and Security Groups

Security groups or origin access identity (OAI), require attackers to make requests through AWS WAF and CloudFront instead from the website origin and minimizes the attack surface of

  • backend load balancers
  • EC2 instances
  • Amazon Simple Storage Service (Amazon S3) buckets

Amazon Virtual Private Cloud (Amazon VPC) allows to configure

  • subnet routes
  • public IP addresses
  • security groups
  • network access control lists

Above, uses Route 53, AWS WAF, CloudFront, and Elastic Load Balancing to control and distribute traffic.

Menu