Logical Isolation Through Subnets
VPC can be partitioned into different subnets with a range of IP addresses defined for each subnet, providing logical isolation for resources. Communication within and across subnets can be controlled differentially. Geographical organization of subnets into zones enables further isolation and helps meet differential scalability requirements. Separating subnets into private and public reduces the attack surface. Subnets can be further layered with restricted access so as to provide defense in depth.
Access Control Between Subnets
While subnets, both private and public, enable logical separation between computing infrastructures, they do not provide security by themselves. The defense mechanism is established through security groups and network access control lists (ACL). These are like firewalls—they allow you to define the various forms of communication between machines and the directions in which the communication must flow. The rules of communications are implemented based on the principle of least privilege.
When a computing resource is created, it is assigned to a security group along with a subnet. Security groups define firewall rules controlling inbound (ingress) and outbound (egress) traffic of an instance of a computing resource in that group. Multiple security groups can be defined based on your needs. A default security group can also be created with minimal access.
Network ACLs provide firewall-like protection at the subnet-level, acting as an additional security mechanism. Combining logical isolation at subnets, access control between subnets, and restrictions at the instance-level, you can achieve a higher level of resilience.
Active Defense Through Real-Time Monitoring
Flow logs enable near real-time capture of communications on VPC. This data can be generated at VPC, subnet, or individual interface-level. Capturing this data into other cloud resources like Amazon CloudWatch Logs or Google BigQuery permits continuous monitoring and post-event investigation. The flow log can be processed in real time or in batches. The resulting insights can be used to fine-tune the security group and network ACL rules.
Amazon’s generic log monitoring service, CloudWatch, enables users to establish Security Operation Centers with necessary dashboards. The recently introduced CloudWatch Anomaly Detection monitors and alerts when unusual activities are observed in the log. Specialized tools for monitoring network security, such as intrusion detection systems, also make use of flow logs and provide an active defense.
Distributed Denial of Service (DDoS) attacks is another area that requires an active defense. Google Cloud Armor’s web application firewall functionality checks against other common attacks like Cross-site Scripting (XSS) and SQL Injection (SQLi). Amazon WAF supports web application firewall creation and AWS Shield protects against DDoS. The challenge is to deploy the right services for your specific needs.