Notes on: Linux Academy: AWS CSAA: 8) Advanced Networking: Advanced VPC Networking for Increased Security

on
Just a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

AWS Console Screenshots

A Bastion Host is an EC2 instances that lives in a public subnet, and is used as a “gateway” for traffic that is destined for instances that live in private subnets.

NAT Gateway:
AWS Services > Networking & Content Delivery > VPC
NAT Gateways
Create a NAT Gateway

Image: Create a NAT Gateway

Things to Know


Bastion Host:

- A Bastion Host is an EC2 instance that lives in a public subnet, and is used as a “gateway” for traffic that is destined for instances that live in private subnets
- This means that we can use a bastion host as a “portal” to access EC2 instances that are located in a private subnet
- A bastion host is considered the “critical strong point” of the network - as all traffic must pass through it first
- A bastion host should have increased and extremely tight security (usually with extra 3rd party security and monitoring software installed)
- A bastion host can be used as an access point to “ssh” into an internal network (to access private resources) without a VPN (virtual private network)

“A system identified by the firewall administrator as a critical strong point in the network’s security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software” - Marcus J Ranum

NAT Gateway:

- A NAT Gateway is designed to provide EC2 instances that live in a private subnet with a route to the internet (so they can download software packages and updates)
- A NAT Gateway will prevent any hosts located outside of the VPC from initiating a connection with instances that are associated with it
- A NAT Gateway will only allow incoming traffic through if a request for it originated from an instance in a private subnet
- A NAT Gateway is needed because instances launched into private subnets can’t communicate with the open internet
- Placing instances in a private subnet creates a higher level of security, but also creates the limitation of the instances not being able to download software and software updates

A NAT Gateway MUST:
- Be created in a public subnet
- Be part of the private subnets route table

NAT Instance:

- A NAT Instance is identical to a NAT gateway in its purpose
- However, it is executed differently by configuring an actual EC2 instance to do the same job
- A NAT Instance is starting to become more of a legacy feature in AWS


Quiz

Q: You work for a company that has been experiencing attacks on its network. Management has asked that your design a solution that will provide increased security for EC2 instances containing sensitive data, while still allowing employees to access the data when needed. Which of the following suggestions is best?
A: Place the EC2 instances into private subnets, and set up a bastion host so employees can access them.
E: Placing EC2 instances into private subnets is a great way to increase their security, since they will no longer be directly accessible from any host outside of the VPC. Adding a bastion host to the architecture will allow authorized users to gain access to the internal resources (instances in private subnets) while providing an additional "hardened" layer of security.

Q: You have provisioned several EC2 instances into private subnets; however, you now have the problem of not being able to download any new software packages or updates. Which if of the following provides the best solution?
A: Create a NAT Gateway in a public subnet and create a route to it in the route table associated with the private subnets.
E: A NAT gateway provides the most secure solution for granting EC2 instances in private subnet the ability to download software packages. However, the NAT gateway MUST be placed in a public subnet, and a route to it must be created in the route table associated with the private subnets.

Q: What are two primary requirements of a NAT Gateway (or NAT instance)?
A: A NAT gateway must be provisioned into a public subnet, and it must be part of the private subnet's route table.
E: A NAT gateway must be provisioned into a public subnet (so that it has a route to the internet), and it must part of the private subnet's route table (so that the private instances have a route to the NAT gateway). A NAT gateway does not require a bastion host to work (but can be used in combination).

T: A NAT Gateway will only allow return traffic if that traffic has been specifically asked for by an internal resource.
E: A NAT Gateway will not allow any unsolicited traffic through. All traffic that passes through it MUST have been asked for by a resource inside the VPC.

Q: What best describes the difference between a bastion host and a NAT gateway?
A: A bastion host is used as a "gateway" for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet.
E: A bastion host is used as a "gateway" for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet. A NAT does provide protection for instances in a private subnet, but its primary goal is to allow instances in the private subnet a route to the Internet (to download software packages).

AWS Physical & Networking Layer: Bastion Host & NAT Networking

Image: AWS Physical & Networking Layer: Bastion Host & NAT Networking

Comments

Post a Comment