SEC05-BP01: Create network layers

Components that share reachability requirements can be segmented into layers. For example, a database in a VPC should be placed in subnets with no routes to or from the internet. This layered approach mitigates the impact of a single layer misconfiguration, which could allow unintended access. For AWS workloads, you can choose from multiple layering strategies.

Implementation guidance

Network layering is a fundamental security principle that involves organizing your network infrastructure into distinct segments or layers, each with specific security controls and access requirements. By implementing proper network layers, you can significantly reduce the attack surface and limit the potential impact of security incidents.

Key steps for implementing this best practice:

1. Design multi-tier network architecture:
   • Create separate layers for different application tiers (web, application, database)
   • Implement network segmentation based on security requirements
   • Design layers with appropriate isolation and access controls
   • Plan for scalability and future growth requirements
   • Document network architecture and layer purposes
2. Implement subnet-based segmentation:
   • Create public subnets for internet-facing resources
   • Design private subnets for internal application components
   • Establish isolated subnets for sensitive data and databases
   • Use dedicated subnets for management and administrative access
   • Implement subnet-level access controls and routing
3. Configure routing and connectivity:
   • Design routing tables for each network layer
   • Implement controlled connectivity between layers
   • Use NAT gateways for outbound internet access from private subnets
   • Configure VPC endpoints for secure AWS service access
   • Establish secure connectivity for hybrid environments
4. Apply security controls at each layer:
   • Implement Network ACLs for subnet-level filtering
   • Configure Security Groups for instance-level protection
   • Deploy network firewalls for advanced threat protection
   • Use load balancers for traffic distribution and security
   • Implement intrusion detection and prevention systems
5. Monitor and maintain network layers:
   • Enable VPC Flow Logs for network traffic analysis
   • Implement network monitoring and alerting
   • Regularly review and update network configurations
   • Conduct network security assessments
   • Maintain network documentation and diagrams
6. Implement defense in depth:
   • Layer multiple security controls for comprehensive protection
   • Use different security mechanisms at each network layer
   • Implement redundant security measures for critical paths
   • Design fail-safe mechanisms for security control failures
   • Regularly test and validate layered security effectiveness

Implementation examples

Example 1: Three-tier network architecture

Code snippet hidden for website display

Example 2: Network ACLs for layer-specific access control

Code snippet hidden for website display

Example 3: Security Groups for layered protection

Code snippet hidden for website display

Example 4: VPC Flow Logs for network monitoring

Code snippet hidden for website display

AWS services to consider

Amazon VPC (Virtual Private Cloud)

Provides the foundation for creating network layers with subnets, route tables, and security controls. Essential for implementing network segmentation and isolation.

AWS Security Groups

Acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic. Provides stateful packet filtering at the instance level for each network layer.

AWS Network ACLs

Provides an additional layer of security for your VPC that acts as a firewall for controlling traffic in and out of subnets. Offers stateless packet filtering at the subnet level.

AWS NAT Gateway

Enables instances in private subnets to connect to the internet or other AWS services while preventing the internet from initiating connections with those instances.

VPC Endpoints

Enables you to privately connect your VPC to supported AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

AWS Network Firewall

A managed service that makes it easy to deploy essential network protections for all of your Amazon VPCs. Provides fine-grained control over network traffic at the VPC level.

Benefits of creating network layers

• Reduced attack surface: Limits the exposure of sensitive resources by isolating them in appropriate network layers
• Improved security posture: Enables implementation of defense-in-depth strategies with multiple security controls
• Better compliance: Supports regulatory requirements for network segmentation and data protection
• Enhanced monitoring: Provides clear boundaries for network traffic analysis and security monitoring
• Simplified management: Organizes network resources logically, making configuration and maintenance easier
• Scalable architecture: Supports growth and changes in application requirements without compromising security
• Incident containment: Limits the spread of security incidents by containing them within specific network layers

Related resources

Related Resources

• AWS Well-Architected Framework - Create network layers
• Amazon VPC User Guide
• VPCs and subnets
• Security groups for your VPC
• Network ACLs
• How to create a more secure environment by using security groups as a firewall