Since its release in 2009, Amazon’s Virtual Private Cloud (Amazon VPC) has enabled enterprise customers access to Amazon’s web services through a virtual private network.
What is Amazon VPC?
The Amazon VPC allows clients to provision a private, isolated section of the Amazon cloud (Amazon Web Services; AWS). This means that users can launch various resources in a self-defined virtual network.
Amazon’s CTO, Werner Vogels, offers his comments on the VPC:
“We continuously listen to our customers to make sure our roadmap matches their needs. One important piece of feedback that mainly came from our enterprise customers was that the transition to the cloud of more complex enterprise environments was challenging. We made it a priority to address this and have worked hard in the past year to find new ways to help our customers transition applications and services to the cloud, while protecting their investments in their existing IT infrastructure.”
Amazon VPC allows enterprise customers to:
- Create a VPC on AWS-scalable infrastructure and specify a private IP address range from a range of their choice.
- Divide the VPC’s private IP address range to one or more public/private subnets in order to facilitate running applications and services in the VPC.
- Control inbound/outbound access to/from individual subnets using network access control lists.
- Store data in Amazon S3.
- Set permissions so that data can only be accessed from within the Amazon VPC.
- Attach an Amazon Elastic IP address to any instance in the VPC so it can be directly reached from the Internet.
- Bridge the VPC and onsite IT infrastructure with an encrypted VPN connection. This will extend existing security and management policies to VPC instances, to mimic running within the customer’s IT infrastructure.
The offering brings with it a number of advantages, including:
- Multiple Connectivity Options – There are different ways to connect, depending on the AWS resources that clients want to share publicly, or keep private. Connectivity options include: 1) Direct connection to the internet through public subnets; 2) Connection to the internet with private subnets, through Network Address Translation (NAT); 3) Secure connection to corporate data center through an encrypted IPsec hardware VPN connection; 4) Combination of connectivity methods as the application requires.
- Security – The Amazon VPC offers advanced security options, including security groups and network access control lists. Data stored in Amazon S3 might be restricted to be accessible only from instances in your VPC.
- Convenience – VPCs can be created simply and quickly through the AWS Management Console. Subnets, IP ranges, route tables and security groups are automatically created.
- Scalability and Reliability – All of the benefits offered in the rest of the AWS platform are offered in Amazon’s VPC. Resources can be scaled up or down and users only have to pay for resources used.
According to cloud experts, Amazon’s VPC offering is not a private cloud, in terms of pure isolation from the resources of other customers. EC2 instances in VPC continue to remain part of the multi-tenant AWS public cloud. Separation comes at the virtual networking level through the virtual private network. Information stored in Amazon’s cloud will continue to be shared with other companies’ data on the servers.
The offering still is more secure than the regular EC2 instances. Essentially, the VPC offering is the regular AWS public cloud, but with deeper level isolation, as well as an additional layer of encryption on top. This however, is not enough for customers to satisfy regulatory compliance requirements.
In March 2011, Amazon Web Services announced significant improvements to the Amazon VPC. After three years, the company added improvements to allow cloud providers more flexibility in setting up dedicated cloud resources.
Since its release, VPC was limited to provisioning an isolated chunk of the AWS cloud, and then deploying resources within it. VPC was only reachable by a VPN from the service provider’s data center to the customer’s data center. The updates have made it so that users don’t require an existing infrastructure to take advantage of the services.
Another update enables cloud administrators to define a network topology and access it throughout the internet. This increases usability to the VPC offering, drawing interest amongst various cloud service providers.
The third update announced provided for Windows Server 2008 R2 and SQL Server Standard 2008 R2 support. This enables cloud administrators to have access to support for IIS 7.5, Active Directory features, new management tools and other performance improvements.
This article takes a look at the Amazon Virtual Private Cloud (VPC), which enables clients to provision a private, isolated section of the Amazon cloud (Amazon Web Services; AWS). Since its release in 2009, the VPC has been improved and now allows for even more flexibility in setting up cloud resources.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Provider Selection (Domain 8)
- Recommended Provider Tools and Capabilities (Domain 9)
- Key Management Standards (Domain 11)
- Virtual Machine Security Features (Domain 13)