Skip to main content

AWS Security

AWS Network Security: Building a Defense-in-Depth Architecture

Master AWS network security with VPCs, security groups, NACLs, and advanced controls to build a robust defense-in-depth architecture for your cloud infrastructure.

CloudPoint

CloudPoint Team

Network security forms a critical layer of defense in your AWS environment. A well-architected network provides isolation, controls traffic flow, and prevents unauthorized access. This guide covers essential network security practices for building a defense-in-depth architecture in AWS.

Defense-in-Depth Strategy

Network security should not rely on a single control but multiple layers:

  1. Perimeter Security: Edge protection (CloudFront, WAF)
  2. Network Segmentation: VPC and subnet isolation
  3. Traffic Control: Security Groups and NACLs
  4. Inspection: Network Firewall and traffic analysis
  5. Monitoring: VPC Flow Logs and threat detection
  6. Response: Automated remediation and incident response

VPC Architecture for Security

Security Zones

Organise your VPC into security zones based on trust and sensitivity:

Public Zone (Public Subnets):

  • Internet-facing load balancers
  • NAT Gateways
  • Bastion hosts (if required)
  • CloudFront distributions

Private Zone (Private Subnets):

  • Application servers
  • Container workloads
  • Lambda functions (VPC-attached)
  • Internal load balancers

Protected Zone (Protected Subnets):

  • Databases
  • Internal APIs
  • Sensitive data stores
  • Compliance-scoped resources

Management Zone:

  • Directory services
  • Monitoring tools
  • Backup infrastructure
  • Privileged access workstations

Multi-VPC Strategy

For larger environments, consider multiple VPCs:

Shared Services VPC:

  • Directory services
  • Logging and monitoring
  • Shared tools
  • Central egress

Production VPC(s):

  • Customer-facing applications
  • Production databases
  • Critical workloads

Non-Production VPC(s):

  • Development environments
  • Testing environments
  • Staging environments

Benefits:

  • Blast radius reduction
  • Clear security boundaries
  • Compliance isolation
  • Cost allocation

Connectivity: Transit Gateway or VPC Peering

Security Groups: Your Primary Firewall

Security Groups are stateful firewalls at the instance level.

Best Practices

1. Deny by Default Security Groups deny all inbound by default - only add what’s needed.

2. Use Descriptive Names

prod-web-alb-sg
prod-app-server-sg
prod-database-sg

3. Reference Other Security Groups Instead of IP addresses:

{
  "IpProtocol": "tcp",
  "FromPort": 3306,
  "ToPort": 3306,
  "SourceSecurityGroupId": "sg-app-server"
}

This automatically adapts as instances are added/removed.

4. Implement Least Privilege Only allow required ports and protocols:

Web Server (Public):
Inbound:
  - 443 from 0.0.0.0/0 (HTTPS)
  - 80 from 0.0.0.0/0 (HTTP redirect)
Outbound:
  - All (stateful response)

App Server (Private):
Inbound:
  - 8080 from web-server-sg
Outbound:
  - 3306 to database-sg
  - 443 to 0.0.0.0/0 (API calls, updates)

Database (Protected):
Inbound:
  - 3306 from app-server-sg
Outbound:
  - None (or very specific)

5. Avoid 0.0.0.0/0 for Inbound Exceptions:

  • Public web servers (80, 443)
  • Public APIs
  • Properly protected endpoints

Never for:

  • SSH (22)
  • RDP (3389)
  • Databases
  • Internal services

6. Regular Audits

  • Remove unused security groups
  • Eliminate overly permissive rules
  • Validate active rules still needed
  • Check for orphaned rules

Security Group Management

Terraform Example:

resource "aws_security_group" "app_server" {
  name        = "prod-app-server-sg"
  description = "Application server security group"
  vpc_id      = aws_vpc.main.id

  ingress {
    description     = "HTTP from ALB"
    from_port       = 8080
    to_port         = 8080
    protocol        = "tcp"
    security_groups = [aws_security_group.alb.id]
  }

  egress {
    description     = "MySQL to RDS"
    from_port       = 3306
    to_port         = 3306
    protocol        = "tcp"
    security_groups = [aws_security_group.database.id]
  }

  tags = {
    Name        = "prod-app-server-sg"
    Environment = "production"
  }
}

Network ACLs: Subnet-Level Control

NACLs are stateless firewalls at the subnet level.

When to Use NACLs

Use NACLs for:

  • Broad subnet-level restrictions
  • Blocking specific IP ranges
  • Compliance requirements (defense-in-depth)
  • Protecting against port scans

Don’t rely solely on NACLs:

  • Less flexible than Security Groups
  • Stateless (must allow both inbound and outbound)
  • Limited number of rules
  • More complex to manage

Best Practices

1. Default Allow

  • Unlike Security Groups, the default NACL allows all traffic. Create custom NACLs.

2. Rule Numbering

  • Use increments of 10 or 100
  • Lower numbers evaluated first
  • Explicit deny before implicit deny
  • Leave room for insertions

3. Stateless Rules

  • Must allow both directions:
Inbound:
  Rule 100: Allow TCP 443 from 0.0.0.0/0
  Rule 200: Allow TCP 1024-65535 from 0.0.0.0/0 (return traffic)

Outbound:
  Rule 100: Allow TCP 443 to 0.0.0.0/0
  Rule 200: Allow TCP 1024-65535 to 0.0.0.0/0 (return traffic)

4. Explicit Denies

  • Block known malicious IPs:
Inbound:
  Rule 10: Deny all from 192.0.2.0/24
  Rule 20: Deny all from 198.51.100.0/24
  Rule 100: Allow TCP 443 from 0.0.0.0/0

Example NACL Configuration

Public Subnet NACL:

Inbound:
  100 - Allow HTTP (80) from 0.0.0.0/0
  110 - Allow HTTPS (443) from 0.0.0.0/0
  120 - Allow ephemeral ports (1024-65535) from 0.0.0.0/0
  * - Deny all

Outbound:
  100 - Allow HTTP (80) to 0.0.0.0/0
  110 - Allow HTTPS (443) to 0.0.0.0/0
  120 - Allow ephemeral ports (1024-65535) to 0.0.0.0/0
  * - Deny all

Private Subnet NACL:

Inbound:
  100 - Allow all from 10.0.0.0/16 (VPC CIDR)
  110 - Allow ephemeral ports from 0.0.0.0/0 (return traffic)
  * - Deny all

Outbound:
  100 - Allow all to 10.0.0.0/16 (VPC CIDR)
  110 - Allow HTTPS (443) to 0.0.0.0/0 (outbound internet)
  120 - Allow ephemeral ports to 0.0.0.0/0
  * - Deny all

AWS Network Firewall

For advanced threat protection, AWS Network Firewall provides:

  • Stateful rule groups
  • Intrusion prevention (IPS)
  • Domain filtering
  • Protocol detection
  • Suricata-compatible rules

When to Use Network Firewall

Required for:

  • Regulated industries (finance, healthcare, government)
  • Advanced threat detection
  • Deep packet inspection
  • Domain-based filtering
  • Compliance requirements

Architecture:

Deploy in dedicated inspection VPC:

Workload VPCs → Transit Gateway → Inspection VPC (Network Firewall) → Internet Gateway

Rule Examples

Block Malicious Domains:

REJECT HTTP any any -> any any (
  http.host; content: ".malicious.com";
  msg: "Blocked malicious domain";
  sid: 1000001;
)

Block Cryptocurrency Mining:

REJECT TCP any any -> any 3333 (
  msg: "Cryptocurrency mining blocked";
  sid: 1000002;
)

Require HTTPS:

REJECT TCP any any -> any 80 (
  msg: "HTTP not allowed - use HTTPS";
  sid: 1000003;
)

Bastion Hosts and Privileged Access

Bastion Host Best Practices

If you must use bastion hosts (prefer AWS Systems Manager Session Manager):

1. Hardened AMI:

  • Minimal installed software
  • Latest security patches
  • Locked-down OS
  • Regular updates

2. Restrictive Security Group:

Inbound:
  - SSH (22) from known IP ranges only
  - Require MFA for access

3. Logging:

  • CloudWatch Logs for all SSH sessions
  • CloudTrail for instance access
  • Session recording

4. Auto Scaling Group:

  • Single instance
  • Auto-replace if unhealthy
  • Use launch template for consistency

5. No Inbound SSH from Internet: Use VPN or Systems Manager instead.

AWS Systems Manager Session Manager

Preferred alternative to bastion hosts:

Benefits:

  • No inbound ports required
  • IAM-based access control
  • Session logging to S3
  • No SSH keys to manage
  • Works across accounts

Implementation:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ssm:StartSession"
    ],
    "Resource": [
      "arn:aws:ec2:ap-southeast-2:123456789012:instance/*"
    ],
    "Condition": {
      "StringLike": {
        "ssm:resourceTag/Environment": "production"
      },
      "BoolIfExists": {
        "aws:MultiFactorAuthPresent": "true"
      }
    }
  }]
}

VPC Flow Logs

Essential for security monitoring and troubleshooting.

Enable on All VPCs

aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids vpc-12345678 \
  --traffic-type ALL \
  --log-destination-type cloud-watch-logs \
  --log-group-name /aws/vpc/flowlogs \
  --deliver-logs-permission-arn arn:aws:iam::123456789012:role/flowlogs-role

What Flow Logs Capture

  • Source and destination IP addresses
  • Source and destination ports
  • Protocol
  • Number of packets
  • Number of bytes
  • Action (ACCEPT or REJECT)

Use Cases

Security Analysis:

  • Detect port scans
  • Identify unusual traffic patterns
  • Investigate security incidents
  • Validate security group rules

Troubleshooting:

  • Connection failures
  • Performance issues
  • Routing problems

Compliance:

  • Audit trail
  • Data retention
  • Forensic evidence

Analyzing Flow Logs

CloudWatch Insights:

fields @timestamp, srcAddr, dstAddr, dstPort, action
| filter action = "REJECT"
| stats count() by srcAddr, dstPort
| sort count desc

Athena Queries: More cost-effective for large volumes, store logs in S3 and query with Athena.

Additional Network Security Controls

AWS WAF (Web Application Firewall)

Protects web applications from common attacks:

Common Rule Sets:

  • SQL injection protection
  • Cross-site scripting (XSS)
  • Rate limiting
  • Geo-blocking
  • IP reputation lists

Deployment:

  • CloudFront distributions
  • Application Load Balancers
  • API Gateway
  • AppSync

Australian Specific Rules:

{
  "Name": "GeoBlockNonAustralia",
  "Priority": 10,
  "Statement": {
    "GeoMatchStatement": {
      "CountryCodes": ["AU"]
    }
  },
  "Action": {
    "Block": {}
  }
}

AWS Shield

DDoS protection:

Shield Standard:

  • Automatic
  • No additional cost
  • Layer 3/4 protection

Shield Advanced:

  • Additional cost
  • Layer 7 protection
  • DDoS Response Team
  • Cost protection
  • Advanced metrics

VPC Endpoints

Keep traffic within AWS network:

Gateway Endpoints (S3, DynamoDB):

  • Free
  • Route table entries
  • Private connectivity

Interface Endpoints (Most services):

  • Powered by PrivateLink
  • ENI in your VPC
  • Private DNS
  • Cost per endpoint per hour

Security Benefits:

  • No internet gateway required
  • Traffic doesn’t traverse internet
  • Can restrict access from specific VPCs
  • Supports private DNS

Monitoring and Alerting

Essential Alerts

1. Unexpected Network Access CloudWatch Event for new security group rules:

{
  "source": ["aws.ec2"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventName": [
      "AuthorizeSecurityGroupIngress",
      "AuthorizeSecurityGroupEgress"
    ]
  }
}

2. VPC Changes Alert on VPC modifications:

  • New internet gateways
  • New VPC peering
  • Route table changes
  • NACL modifications

3. High Reject Rates From VPC Flow Logs - potential attack or misconfiguration.

4. Traffic to Unusual Ports Monitor for unauthorized services.

GuardDuty

Intelligent threat detection:

  • Monitors CloudTrail, VPC Flow Logs, DNS logs
  • Machine learning-based detection
  • Cryptocurrency mining detection
  • Backdoor detection
  • Unusual API calls

Enable in all accounts and regions:

aws guardduty create-detector \
  --enable \
  --finding-publishing-frequency FIFTEEN_MINUTES

Network Security Checklist

VPC Configuration:

  • Multi-AZ deployment
  • Proper subnet segregation
  • No default VPC in use
  • VPC Flow Logs enabled
  • DNS resolution documented

Security Groups:

  • No 0.0.0.0/0 on SSH/RDP
  • Least privilege rules
  • Descriptive naming
  • Reference SGs not IPs
  • Regular audits

NACLs:

  • Custom NACLs created
  • Explicit denies for known bad actors
  • Stateless rules properly configured
  • Documentation maintained

Access Control:

  • No bastion hosts (use SSM)
  • VPN or Direct Connect configured
  • MFA for privileged access
  • Session logging enabled

Monitoring:

  • CloudWatch alarms configured
  • GuardDuty enabled
  • VPC Flow Logs analyzed
  • Security Hub integrated
  • SNS notifications set up

Advanced Controls:

  • WAF for public applications
  • Network Firewall (if required)
  • VPC endpoints where possible
  • Shield Advanced (if needed)

Conclusion

Network security is a critical component of your AWS defense strategy. By implementing proper VPC architecture, configuring security groups and NACLs correctly, enabling comprehensive logging, and using advanced controls like Network Firewall when needed, you create multiple layers of defense protecting your infrastructure.

For Australian businesses, particularly those in regulated industries, a robust network security architecture is essential for meeting compliance requirements and protecting sensitive data.

CloudPoint specialises in designing and implementing secure network architectures for AWS environments. We can review your current network security posture, identify vulnerabilities, and implement best practices tailored to your regulatory requirements.

Contact us for a network security assessment and let us help you build a defense-in-depth architecture.

Need a Network Security Assessment?

CloudPoint’s security reviews include thorough network security analysis—identifying misconfigurations and vulnerabilities before they become problems. Get in touch to discuss your security needs.

Learn more about our Security Review service →