Amazon’s AWS  VPC (Virtual Private Cloud) is like a canvas. It lets you define private networks, the way they interact with each other, routing, and security. Now, it even lets you terminate VPN connections from your main corporate network out-of-the-box and, best of all, it doesn’t cost you anything to use it.

If you are an AWS cloud customer, you can create a VPC, launch EC2 instances within it, or start with the plain old EC2 instances on the standard Amazon cloud managed network. We have all launched a standard (non-VPC) EC2 instance at least once. Its fast, simple, and it just works. If you look at your web scale app now, you may realize that this historical (non-)decision created an architectural commitment that may be hard to change when you want to enhance your security.

pic credits: http://aws.typepad.com/aws/2011/03/new-approach-amazon-ec2-networking.html

Comparing EC2 and VPC Security Groups

There are many great articles comparing EC2 and VPC (link to kiip) and here I’ll focus on comparing the security controls of each as they use similar terminology but offer different things

1. EC2 is Inbound only; VPC offers Inbound, Outbound and ACLs.
2. EC2 Security Groups are attached for life; VPCs are flexible.
3. EC2 private Interface isn’t really private. VPC interfaces are private by definition.

Newvem scans and identifies the status of your security group configurations, continuously monitors their status, and alerts you of vulnerabilities. Get Your Free Amazon Cloud Security Health Check

That describes and segregates private networks, and the way they connect amongst themselves and to the external world. IT organizations utilize VPC to deploy more secure and robust environments within the Amazon public cloud. AWS security groups are a good tool to support security separation of instances. This is not enough, however, as it requires a great amount of custom work that results in a highly complex environment. With VPC, the public cloud user can create a private secured portion that easily communicates with public resources.

Inbound, Outbound and ACLs VS Just inbound

EC2 security groups support white-listing of inbound connections while VPC enables both inbound and outbound controls. Outbound control is important in cases in which it is necessary to limit and predefine the allowed traffic sources from other EC2 instances, VPCs or the Internet to VPC internal EC2 instances.

EC2 Security groups are fixed and attached to an instance throughout its life time while the VPC security groups can be edited, added, and detached to/from a running instance on the fly. This powerful VPC capability, however, creates risks and security vulnerabilities. With EC2 security groups, you just need to check the instance your security group belongs to and find the rules that apply. Alternatively, VPC demands more comprehensive management including discovery, control and auditing tools.

EC2 allows a maximum of 100 different port & CIDR rule combinations. Clearly, allowing so many rules creates unmanageable policies. AWS VPC facilitates that. VPC limits to 50 inbound and 50 outbound CIDR rule combinations. Amazon Cloud VPC should be used to overcome the complex management requirements of AWS security groups. For example, you can have your monitoring services, Linux web, and internal backup in separate VPCs, each with its own security group and rules. Utilizing the VPC you can apply these three to a single instance. So let’s assume that you have 40 rules per VPC security group. You can actually apply 120 rules to this instance and still have it organized in a more manageable way. Moreover, you can overcome the limitation of a simple EC2 security group. In short, Amazon cloud users can create functional VPC security groups and attach multiple groups to a single instance. In a complex environment, it is better to relate to the security group as a simple flat policy file that supports VPCs oriented deployment architectures.

EC2 security groups support isolation however the single instance is still a part of the public Amazon cloud subnet. VPC enables 10.x private network segmentation (subnets) and we can assume a higher level of isolation and trust. In our experience over the last year of using Amazon cloud as well as managing and tracking our customers “Amazon Firewall”, I can say without a doubt that AWS VPC supports a high level of network privacy that aligns with strict compliance standards like PCI-DSS. Amazon VPC is a commercial enterprise grade Software Define Network (SDN) with flexible and programmable interfaces. I truly believe that VPC and its next generations are the future of outsourced enterprise grade data centers in the cloud.

[Newvem actively prioritizes significant risk to cloud health based on their severity, including cost, security, availability, and utilization issues.  

Get Started For Free or Learn More]

About the Author

Zohar Alon, Founder and CEO at Dome9.  Alon is the Founder and CEO of Dome9 Security, and a veteran in networking security. He helped shape the early days of network security while at Check Point Software (NASDAQ:CHKP) where he built Provider-1, Check Point’s service provider’s management solution, which is still used today by the world’s largest MSPs and enterprises. Alon graduated from Tel Aviv University, and holds several leadership and advisory roles in venture-backed companies.

@zoharalon on Twitter

Contact Zohar

About Dome9

Dome9 makes cloud security elastic with automated cloud firewall management. Available for the enterprise and hosting providers, Dome9 centralizes firewall management across Clouds, Virtual Private Servers (VPS), dedicated servers, and Amazon’s EC2 Security Groups, covering all major operating systems and service providers. Secure Your Cloud™ with Dome9.

For more information on Dome9, Check out Dome9 SecOps for AWS service and visit www.dome9.com

Keywords:  Amazon web services, Amazon Cloud Services, Cloud Security, AWS ELB, Elastic Load Balancer, IAM policy, Cloud Firewall, Amazon Security Groups, Security Audit, Firewall Ports, VPN, VPC, HTTP, Security Policy, Cloud Adoption, Migration, Software Define Network,