Networking & Content Delivery

Enhancing VPC Security with HAQM VPC Block Public Access

In the earliest days of HAQM Virtual Private Cloud (HAQM VPC), we thought customers would only ever need a single VPC. We’ve learned a lot since then. Today, the AWS Well-Architected Framework describes a single account with a single VPC as an anti-pattern. With a growing number of accounts and network paths in the AWS Cloud, customers and partners told us they wanted simple tools that help them understand and secure their cloud environments at scale.

AWS provides services and features that enable customers to implement detective, preventative, proactive, and responsive controls. Our investments in automated reasoning and provable security, for example, let you detect public HAQM Simple Storage Service (HAQM S3) buckets and identify unexpected internet access resulting from simple mistakes or misunderstandings. For preventative controls at scale, we’ve delivered features like HAQM S3 Block Public Access that make it simple to ensure your S3 objects are private.

Introducing Block Public Access for HAQM VPC

Today, we’re excited to introduce a powerful new feature that simplifies internet access control. HAQM VPC Block Public Access is a simple, declarative control that authoritatively blocks incoming (ingress) and outgoing (egress) VPC traffic through AWS provided internet paths. HAQM VPC Block Public Access enables customers to ensure compliance with their organization’s security and compliance requirements by centrally blocking AWS provided internet access to resources in your VPCs. When set to bidirectional block, all ingress and egress VPC traffic is denied. HAQM VPC Block Public Access supersedes any existing VPC settings to drop all traffic that would otherwise expose the internet through paths like an Internet Gateway (IGW) or Egress-Only Internet Gateway (EIGW).

But, what about the case where traffic from a VPC needs to access the internet?

NAT Gateways and EIGWs are commonly used to provide internet access to resources within a VPC without exposing them to inbound internet traffic. Customers told us they wanted a simple, reliable, and consistent approach to support this common architecture when using HAQM VPC Block Public Access. As an alternative to bidirectional block, HAQM VPC Block Public Access supports ingress-only block for these use cases. With ingress-only block, inbound internet traffic is authoritatively blocked, and egress traffic from a VPC is permitted only from NAT Gateways and EIGWs.

You can enable HAQM VPC Block Public Access per region on an AWS account, and we plan to support AWS Organizations soon.

Granular Control with Exclusions

We understand that some resources within a VPC may require bidirectional internet access. Or, you may have use cases, such as centralized traffic inspection, that require an egress-only internet path that HAQM VPC Block Public Access bidirectional or ingress-only block would otherwise reject. To address this need, HAQM VPC Block Public Access includes granular exclusion capabilities. Administrators can specify individual VPCs or subnets to exclude from HAQM VPC Block Public Access enforcement, allowing for targeted internet access where necessary. You can configure these exclusions to permit either all (bidirectional) or only outbound (egress-only) internet access. Like ingress-only block, when you allow an egress-only exclusion, egress traffic from a VPC or subnet is permitted only from NAT Gateways and EIGWs.

Let’s dive deeper into how HAQM VPC Block Public Access works and explore its key capabilities.

Understanding HAQM VPC Block Public Access

To demonstrate HAQM VPC Block Public Access, I’ve created the simple, dual-stack (IPv4 and IPv6) VPC architecture. There are two public subnets, two private subnets, NAT Gateways, an EIGW, and an IGW. The public subnets have a default route to the IGW. The private subnets have an IPv4 default route to the NAT Gateways in the same Availability Zone, and they have an IPv6 default route to the EIGW. I’ve deployed an internet-facing Application Load Balancer (ALB) in the public subnets that listens for HTTP. The ALB passes inbound internet traffic to the web servers in the private subnets.

Figure 1: Simple, dual-stack VPC architecture

Figure 1: Simple, dual-stack VPC architecture

Before I enable HAQM VPC Block Public Access, I’m able to access the web servers, through the ALB, from the internet. I’m also able to ping the AWS homepage while logged into a web server, accessing the internet through the NAT Gateways for IPv4 and the EIGW for IPv6.

Figure 2: Browser window showing "Hello, World!"

Figure 2: Browser window showing “Hello, World!”

Figure 3: Successful outbound pings over IPv4 and IPv6

Figure 3: Successful outbound pings over IPv4 and IPv6

I want to configure HAQM VPC Block Public Access to allow all traffic (bidirectional) to and from only my public subnets. However, I don’t want my website to become unavailable when I enable HAQM VPC Block Public Access. So, I set up exclusions for these subnets before enabling HAQM VPC Block Public Access.

I navigate to the VPC console, and:

  • Select Settings.
  • Then select the Block public access tab.
Figure 4: HAQM VPC Block Public Access tab

Figure 4: HAQM VPC Block Public Access tab

Next, I click on:

  • Create exclusions and specify that my two public subnets should allow all internet traffic (bidirectional).
  • Then, click on Create exclusions.
Figure 5: Creating exclusions for public subnets

Figure 5: Creating exclusions for public subnets

A few minutes later, the exclusions are Active.

Figure 6: Active exclusions for public subnets

Figure 6: Active exclusions for public subnets

Now, I’m ready to activate HAQM VPC Block Public Access. However, I want to make sure I understand what will happen when I enable the feature. So, I click on the link to Create Network Access Scope, and I use Network Access Analyzer to determine the currently allowed AWS provided internet paths. Using two Exclusion conditions, I filter the public subnets as either a source or destination for internet traffic. We know traffic to these subnets is allowed by the exclusions.

Figure 7: Network Access Analyzer results

Figure 7: Network Access Analyzer results

The analysis shows that the WebServers can accept and respond to internet traffic through the ALBs, and they can initiate outbound (egress) internet traffic through the NAT Gateways. Recall that the private subnets also have an IPv6 default route to the EIGW, and I’ve made no HAQM VPC Block Public Access exclusion for the private subnets. As a result, I expect HAQM VPC Block Public Access to reject egress IPv6 traffic from the WebServers.

I go back to the Block Public Access tab, and click:

  • Edit public access settings.
  • Check the box to Turn on block public access, and set the behavior to block all internet traffic (bidirectional).
  • Click Save changes.
Figure 8: Turn on block public access with bidirectional block

Figure 8: Turn on block public access with bidirectional block

A few minutes later, the Public access settings show a Status of On.

Figure 9: Block public access is on

Figure 9: Block public access is on

To verify, I check whether I can get to the WebServers, through the ALB, from the internet. The “Hello, World!” page successfully returns. Going back to the WebServer, I’m able to ping the AWS homepage through the NAT Gateways and IGW over IPv4, as confirmed by the results from Network Access Analyzer. As expected, I am not able to ping the AWS homepage over IPv6.

Figure 10: Successful outbound pings over IPv4; Outbound IPv6 pings fail

Figure 10: Successful outbound pings over IPv4; Outbound IPv6 pings fail

Looking at VPC flow logs, which were previously enabled on the private subnets, I can see the IPv6 traffic is denied. The first line (ACCEPT) indicates that the packets were allowed by the security group on the network interface and the network ACL on the subnet. However, HAQM VPC Block Public Access blocked the traffic (REJECT). If I had setup a custom format in VPC flow logs, I could have included the reject-reason field, which would show BPA as the reason for blocking the traffic.

Figure 11: VPC flow logs with ACCEPT followed by REJECT

Figure 11: VPC flow logs with ACCEPT followed by REJECT

To enable IPv6 outbound traffic from the private subnets through the EIGW, I add a new exclusion. This exclusion is egress-only, matching the traffic flow direction through the EIGW.

Figure 12: Creating exclusions for private subnets

Figure 12: Creating exclusions for private subnets

After a few minutes, the exclusion is Active. Returning to the WebServer, I’m able to ping the AWS homepage, through the EIGW, over IPv6 again.

Figure 13: Successful outbound pings over IPv6

Figure 13: Successful outbound pings over IPv6

As a last action, I delete all of the exclusions. Without exclusions, all internet traffic is blocked for this VPC.

Figure 14: Deleting exclusions

Figure 14: Deleting exclusions

As expected, the ALB is no longer accessible, and the WebServers cannot initiate outbound traffic.

Figure 15: Browser window showing "The connection has timed out"

Figure 15: Browser window showing “The connection has timed out”

I go back to the Block Public Access tab and click Edit public access settings. I uncheck block public access, and click Save changes. A few minutes later, the Public access settings show a Status of Off. I’m again able to access the ALB, and to ping the AWS homepage over IPv4 and IPv6.

Some things to know

  1. HAQM VPC Block Public Access is stateful when used in ingress-only mode, or when allowing an egress-only exclusion. Return traffic for an allowed connection is automatically permitted. This behavior is analogous to security groups.
  2. When enabled, HAQM VPC Block Public Access impacts new and existing network connections.
  3. There is a default limit of 50 exclusions for HAQM VPC Block Public Access. Limit increases are available.
  4. When ingress-only block is enabled or egress-only exclusions are permitted, only NAT Gateways and EIGWs allow egress from a VPC.
  5. HAQM VPC Block Public Access integrates with other services like Elastic Load Balancing and AWS Global Accelerator.
  6. AWS Client VPN and AWS Site-to-Site VPN are considered secure communication. They are excluded from HAQM VPC Block Public Access.

Conclusion

In this post, we discussed how customers told us they wanted a declarative control to manage internet access for their VPCs. With HAQM VPC Block Public Access, customers can manage which VPCs and subnets have access to HAQM provided internet that enables customers to ensure compliance with their organization’s security and compliance requirements by centrally blocking AWS provided internet access to resources in your VPCs. Get started today leveraging Network Access Analyzer and VPC flow logs to understand your traffic patterns so you can enable HAQM VPC Block Public Access. For more information, review the HAQM VPC Block Public Access documentation.

About the authors

Alan Halachmi

Alan Halachmi

Alan is a Director of Solutions Architecture supporting the public sector. He works with government, education, healthcare, and non-profit organizations around the globe to drive disruptive innovation using the AWS Cloud.