How is AWS VPC implemented

Amazon Virtual Private Cloud Features

Amazon Virtual Private Cloud offers functions with which you can increase and monitor the security for your Virtual Private Cloud (VPC):

  • Reachability Analyzer: Reachability Analyzer is a static configuration analysis tool that you can use to analyze and debug the network accessibility between two resources in your VPC. After specifying the source and destination resources in your VPC, the Reachability Analyzer creates hop-by-hop details of the virtual path between them if they are reachable and identifies the blocking component if they are not reachable. You can find out how you can work with this function here.
  • VPC flow protocols: You can monitor your VPC flow logs submitted to Amazon S3 or Amazon CloudWatch for operational insights into your network dependencies and traffic patterns, detect anomalies and prevent data leaks or troubleshoot network connectivity and configuration issues. The enriched metadata in the flow logs will help you gain additional insight into who initiated your TCP connections, as well as the actual packet-level source and destination for traffic flowing through intermediate layers like the NAT gateway. You can also archive your flow logs to help meet certain compliance requirements. You can find out how you can work with this function here.
  • VPC traffic mirroring: VPC traffic mirroring enables you to copy network traffic from an elastic network interface from Amazon EC2 instances and then send the traffic to out-of-band security and monitoring appliances for deep packet inspection. With VPC traffic mirroring, you can identify network and security anomalies, gain operational insights, implement compliance and security controls, and troubleshoot issues. VPC traffic mirroring as a feature that gives you direct access to the network packets flowing through your VPC. You can find out how you can work with this function here.
  • Ingress routing: This allows you to forward all incoming and outgoing data traffic that flows to / from an Internet Gateway (IGW) or Internet Gateway (VGW) to the Elastic Network Interface of a specific EC2 instance. This feature allows you to configure your virtual private cloud so that all traffic is sent to an IGW, VGW, or EC2 instance before the traffic reaches your business workloads. You can find more information about this feature here.
  • Security groups: Security groups act as a firewall for associated Amazon EC2 instances and control both inbound and outbound traffic at the instance level. When you start an instance, you can associate it with one or more security groups that you have created. Each instance in your VPC could belong to a different set of security groups. If you don't specify a security group when you start an instance, the instance is automatically associated with the default security group for the VPC. For more information, see Security Group for Your VPC.
  • Network access control list: A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall to control traffic to and from one or more subnets. You can set up network ACLs with rules similar to your security groups to give your VPC an extra layer of security. Click here to learn more about the specific differences between security groups and network ACLs.