Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.3.1.2. Network Security Best Practices (VPC Design, Security Controls)

šŸ’” First Principle: A defense-in-depth approach to network security, starting with strong isolation and layering multiple controls from the edge to the instance, is essential for protecting resources from unauthorized network access.

Scenario: An architect is designing the network security for a new public-facing web application with backend application servers and a database. The web servers must be publicly accessible, but only on standard web ports. The application servers must only communicate with the web servers on specific ports and the database. The database must only be accessible from the application servers. All critical traffic should be protected from web exploits and "DDoS attacks".

Robust network security is a fundamental layer of defense.

  • VPC Isolation:
    • Practical Relevance: Design separate "VPCs" for different environments (Dev, Test, Prod) or application tiers for strong isolation. Use non-overlapping "CIDR blocks".
  • Subnet Segmentation:
    • Practical Relevance: Place public-facing resources in public subnets and internal, sensitive resources (databases, application servers) in private subnets. Use "NACLs" for coarse-grained subnet-level filtering.
  • "Security Groups (SGs)":
    • Practical Relevance: Act as stateful firewalls at the instance/"ENI" level. Implement least privilege by only allowing necessary inbound/outbound traffic. Use SG-to-SG references for dynamic rule sets.
  • "Network Access Control Lists (NACLs)":
    • Practical Relevance: Stateless packet filters at the subnet level. Useful for broad deny rules (e.g., blocking known malicious IPs) or when explicit inbound and outbound rules are needed. Rules are processed in order.
  • "AWS Network Firewall": A managed service that makes it easier to deploy network protections for all your "Amazon VPCs".
    • Practical Relevance: Provides deep packet inspection, intrusion prevention and detection, web filtering, and granular traffic control at the "VPC" border. Integrates with "AWS Firewall Manager".
  • "AWS WAF (Web Application Firewall)": Protects web applications or APIs from common web exploits and bots.
    • Practical Relevance: Filters HTTP/S requests based on rules (e.g., "SQL injection", "XSS", IP reputation, geo-blocking). Integrates with "CloudFront", "ALB", "API Gateway".
  • "AWS Shield": Managed Distributed Denial of Service ("DDoS") protection service.
    • Practical Relevance: "Shield Standard" (free) provides automatic protection against common network and transport layer DDoS attacks. "Shield Advanced" (paid) provides enhanced protection, cost protection for scaling, and access to the "DDoS Response Team".
Visual: Multi-Tier Network Security Design
Loading diagram...

āš ļø Common Pitfall: Relying solely on "Security Groups" for all network security. While "SGs" are the primary instance-level firewall, "Network ACLs" provide a crucial additional layer of defense at the subnet level, useful for blocking known malicious IP addresses before traffic even reaches the instances.

Key Trade-Offs:
  • Granularity ("Security Groups") vs. Broad Control ("Network ACLs"): "Security Groups" provide fine-grained, stateful control for specific instances. "Network ACLs" provide broad, stateless allow/deny rules for entire subnets.

Reflection Question: How would you combine "VPC subnets", "Security Groups", "Network ACLs", "AWS WAF", and "AWS Shield" to create a robust, multi-layered network security design for a public-facing web application, ensuring proper segmentation and access control between tiers while protecting against web exploits and "DDoS attacks"?