{"id":1363,"date":"2022-11-19T07:08:07","date_gmt":"2022-11-19T06:08:07","guid":{"rendered":"http:\/\/www.klaushaller.net\/?p=1363"},"modified":"2022-11-19T07:08:07","modified_gmt":"2022-11-19T06:08:07","slug":"protecting-aws-paas-workloads-with-vpc-endpoints","status":"publish","type":"post","link":"https:\/\/www.klaushaller.net\/?p=1363","title":{"rendered":"Protecting AWS PaaS Workloads with VPC Endpoints"},"content":{"rendered":"\n<p>Routing network traffic between data centers over the internet? Web services within a data center interacting with traffic passing through the public internet \u2013 just to save a couple of hours or days of work? Both have been frowned upon for years, but such shortcuts are the new normal in the cloud world. So, are VPC Endpoints in AWS a solution?<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Understanding the Use Case<\/h1>\n\n\n\n<p>In the following, we look at a solution relying on AWS S3, Lambda, and Dynamo DB services. The architecture in Figure 1 consists of an application running on an EC2 instance (i.e., a VM) <em>alpha5 <\/em>in subnet <em>SN714<\/em>. It accesses a lambda function <em>lf6c<\/em>, an S3 object storage <em>s3delta <\/em>and an AWS Dynamo database <em>dy_epsilon<\/em> (Figure 1). By default, <em>lf_gamma<\/em>, <em>s3delta <\/em>, and <em>dy_epsilon <\/em>are reachable publicly web services. As such, they are accessible from the internet. Traffic to and from them leaves the subnet and VPC and goes via the public internet to the AWS service endpoints \/ URLs for the S3 and Lambda services. To end this, VPC Endpoints in AWS are an option to keep this network traffic private. It is a scenario in which the EC2 instance acts as a service customer, whereas AWS acts as a service provider.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig1_vpc_endpoints_aws-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"532\" src=\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig1_vpc_endpoints_aws-1-1024x532.png\" alt=\"\" class=\"wp-image-1367\" srcset=\"https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig1_vpc_endpoints_aws-1-1024x532.png 1024w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig1_vpc_endpoints_aws-1-300x156.png 300w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig1_vpc_endpoints_aws-1-768x399.png 768w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig1_vpc_endpoints_aws-1-624x324.png 624w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig1_vpc_endpoints_aws-1.png 1163w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Figure 1: The network connectivity challenge for IaaS workload accessing AWS cloud services<\/figcaption><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">VPC Endpoints and Interfaces<\/h1>\n\n\n\n<p>VPC Endpoints come in different flavors. We look first at how they allow integration of AWS services, thereby avoiding traffic via the internet (Figure 2, A). For such scenarios, AWS offers two VPC Endpoint variants: gateway endpoints and interface endpoints (Figure 2, B). &nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig2_aws_gateway_endpoints.png\"><img loading=\"lazy\" decoding=\"async\" width=\"528\" height=\"1024\" src=\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig2_aws_gateway_endpoints-528x1024.png\" alt=\"\" class=\"wp-image-1366\" srcset=\"https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig2_aws_gateway_endpoints-528x1024.png 528w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig2_aws_gateway_endpoints-155x300.png 155w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig2_aws_gateway_endpoints-624x1211.png 624w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig2_aws_gateway_endpoints.png 680w\" sizes=\"auto, (max-width: 528px) 100vw, 528px\" \/><\/a><figcaption class=\"wp-element-caption\">Figure 2: Creating a Gateway Endpoint in AWS for AWS Services<\/figcaption><\/figure>\n\n\n\n<p>Gateway endpoints and interface endpoints achieve their aims differently:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An <strong>interface endpoint<\/strong> means the AWS service gets a local IP address within the subnet. So, it looks (and can be reached, e.g., by EC2 instances) as any EC2 instance in this subnet.<\/li>\n\n\n\n<li>A <strong>gateway endpoint<\/strong> allows routing traffic within the AWS network from the subnet to the AWS endpoint with the help of a routing table.<\/li>\n<\/ul>\n\n\n\n<p>Figure 2 illustrates the creation of a gateway endpoint (B), which requires selecting the VPC into which the gateway should be deployed (C) and the routing table (D), which ensures that the relevant traffic goes to the S3 endpoint just created. Usually, engineers do not have to worry about which option to choose because not many AWS services support gateway endpoints; most have (only) interface endpoints. The following Table 1 provides an overview.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Service<\/strong><\/td><td><strong>Interface Endpoint<\/strong><\/td><td><strong>Gateway Endpoint<\/strong><\/td><\/tr><tr><td><em>S3<\/em><\/td><td>Available<\/td><td>Available<\/td><\/tr><tr><td><em>Dynamo DB<\/em><\/td><td>Not available<\/td><td>Available<\/td><\/tr><tr><td><em>Lambda<\/em><\/td><td>Available<\/td><td>Not available<\/td><\/tr><tr><td><em>Cassandra<\/em><\/td><td>Available<\/td><td>Not available<\/td><\/tr><tr><td><em>Sage Maker Studio<\/em><\/td><td>Available<\/td><td>Not available<\/td><\/tr><tr><td><em>Redshift<\/em><\/td><td>Available<\/td><td>Not available<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\"><em>Table 1: Endpoint Options for Selected AWS Services<\/em><\/figcaption><\/figure>\n\n\n\n<p>By default, a VPC Endpoint allows traffic from everyone within the VPC to the resource. So, every user and application with access to the VPC can reach the VPC Endpoint (and the resource behind the VPC Endpoint) on the network layer. The access rights in the IAM solution can still prevent reading or writing the data. However, it is usually better to rely not only on one security mechanism \u2013 IAM \u2013 but on two, IAM and network security \u2013 and VPC Endpoints can be a solution for the latter.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">The other way around \u2026<\/h1>\n\n\n\n<p>We have now looked at how to access AWS services from your VPC securely. The scenario: an application on an EC2 instance that accesses AWS services such as Dynamo DB or Lambda Functions. But what about a scenario where an AWS Lambda function orchestrates a couple of legacy (micro-)services of applications running on EC2 instances? How can the AWS Lambda function invoke them without going through the internet and making the EC2 instance accessible from the internet<\/p>\n\n\n\n<p>Specifically for Lambda Functions, AWS provides a solution. Engineers can \u201cconnect\u201d AWS Lambda Functions with VPCs. Then, the Lambda Function accesses resources exactly like an EC2 instance in the VPC.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig3_aws_lambda_vpc-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"814\" height=\"958\" src=\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig3_aws_lambda_vpc-1.png\" alt=\"\" class=\"wp-image-1369\" srcset=\"https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig3_aws_lambda_vpc-1.png 814w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig3_aws_lambda_vpc-1-255x300.png 255w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig3_aws_lambda_vpc-1-768x904.png 768w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig3_aws_lambda_vpc-1-624x734.png 624w\" sizes=\"auto, (max-width: 814px) 100vw, 814px\" \/><\/a><figcaption class=\"wp-element-caption\">Figure 3: Creating an AWS Lambda Function accessing VPC resources privately<\/figcaption><\/figure>\n\n\n\n<p>Without going into details, this aspect illustrates the importance of understanding the different scenarios of how applications and AWS services interact to implement a security posture &#8211; especially since not every AWS service might have such an elegant solution. The challenge grows further if you not only combine IaaS-workloads on EC2 with PaaS features like Dynamo DB and Lambda Function but if you also consider Web Services from external partners, customers, or suppliers.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">AWS\u2019s Ecosystem Spirit<\/h1>\n\n\n\n<p>The most frustrating experience when integrating software-as-a-service solutions into your company application landscape is how negligent software vendors are when it comes to securing the integration of their solution into company ecosystems. Thus, I was surprised when I looked at AWS\u2019s VPC Endpoint concept. I was fascinated by two aspects:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC Endpoints work not only for AWS-provided cloud-native services. You can also connect to VPC Endpoints of AWS Marketplace vendors \u2013 or any other AWS tenant. That helps integrate services hosted by vendors on the AWS cloud (Figure 4, left).<\/li>\n\n\n\n<li>Suppose you are a service provider. Your customers might expect from you the same level of security as AWS\u2019s service. The good news is that everybody on AWS can provide VPC Endpoints. So, suppose you are a service provider. You can provide your services precisely with the same security mechanisms as AWS (Figure 4, right).<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig4_vcp_endpoints_and_vpc_endpoint_services.png\"><img loading=\"lazy\" decoding=\"async\" width=\"895\" height=\"339\" src=\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig4_vcp_endpoints_and_vpc_endpoint_services.png\" alt=\"\" class=\"wp-image-1370\" srcset=\"https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig4_vcp_endpoints_and_vpc_endpoint_services.png 895w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig4_vcp_endpoints_and_vpc_endpoint_services-300x114.png 300w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig4_vcp_endpoints_and_vpc_endpoint_services-768x291.png 768w, https:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/10b_fig4_vcp_endpoints_and_vpc_endpoint_services-624x236.png 624w\" sizes=\"auto, (max-width: 895px) 100vw, 895px\" \/><\/a><figcaption class=\"wp-element-caption\">Figure 4: Endpoint- and Endpoint Service-related Creation<\/figcaption><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Do VPC Endpoints make a Difference?<\/h1>\n\n\n\n<p>VPC endpoints are like seat belts \u2013 if you use them, they reduce your risks. External attackers have a much smaller attack surface if you shield your interfaces, data, and service instances from the internet. No traffic via the internet makes interference with your traffic impossible. Suppose every (micro-)service and every S3 instance has internet connectivity because all invocations from your EC2 instances go via the internet. In such a case, every single IAM misconfiguration can cause a disaster. So, VPC Endpoints are a great innovation, such as seat belts. However, they are not the complete solution, especially since PaaS services are shaking corporate IT departments. Cloud-native PaaS services such as database-as-a-service (e.g., Dynamo DB) or middleware-as-a-services (e.g., AWS EventBrdige) change how IT organizations develop and operate applications. Database and middleware teams shrink or even disappear. The reason: application teams can use Dynamo DB or EventBridge without company-internal support. You click a button and get an instance \u2013 and always patched. Suddenly, hundreds of engineers create database instances, not frequently but maybe every quarter or so. Ensuring all configurations are correct becomes a nightmare. In this sense, VPC Endpoints can prevent exposing databases to the internet. However, they do not make detective and preventive controls obsolete. The challenge is the consistent, 100% correct usage and configuration of AWS components and VPC Endpoints by potentially hundreds of engineers in an IT department. The rule for such scenarios is sim<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Routing network traffic between data centers over the internet? Web services within a data center interacting with traffic passing through the public internet \u2013 just to save a couple of hours or days of work? Both have been frowned upon for years, but such shortcuts are the new normal in the cloud world. So, are [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1371,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1363","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1363"}],"version-history":[{"count":2,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1363\/revisions"}],"predecessor-version":[{"id":1372,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1363\/revisions\/1372"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/media\/1371"}],"wp:attachment":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}