Whether your organisation is just starting its journey to the cloud, or you’ve already migrated away from much of your on-premises infrastructure, it’s important to remember this: your cloud environment is not a data centre. Even if you began with a straight lift-and-shift, things will be different in the cloud. So it’s best to build your cloud foundation right from the start.
One area where this is especially important is networking. For example, Amazon Web Services (AWS) offers a number of networking capabilities that aren’t available – or are prohibitively expensive – in a data centre environment. If you’re used to operating on premises, it’s easy to miss some of these capabilities when configuring network connections and defences.
In this blog post, I’ll explore some AWS networking tools and services highlights. Let’s start by looking at how to optimise your initial networking setup in AWS.
Start with AWS security groups (SGs) and network access lists (NACLs). In an Amazon Virtual Private Cloud (VPC), security groups act as virtual firewalls, allowing you to control traffic to and from your environment at the resource level. You can create rules for traffic based on source IP addresses, port numbers, protocols and other factors.
NACLs provide another layer for controlling traffic at the network level and also allow you to create ‘deny’ rules. NACLs are stateless, so if you use them to allow inbound traffic to a network, you will also need to allow outbound traffic from that same network.
Next, consider deploying AWS Network Firewall. This is an AWS managed service that’s quick to set up and offers a flexible rules engine. This lets you apply more granular, centralised control over network security across your VPCs. It scales automatically to your network traffic and provides visibility not just into the network and transport layers, but into your application layer as well.
To protect applications in particular, think about using AWS Web Application Firewall (AWS WAF). This sits in front of your web application and filters traffic in both directions, helping you to block malicious or insecure activities. There’s also AWS Shield, which uses dynamic detection and automatic mitigations to defend your applications against distributed denial of service (DDoS) attacks.
You’ll find Session Manager in your AWS Systems Manager console. Using this, you can connect securely to appliances, virtual machines, on-premises servers and other resources that aren’t publicly accessible – without having to use bastion hosts or jump stations. By eliminating the need to use SSH or RDP protocols to allow ingress into your network, Session Manager reduces the potential attack space for malicious actors. It also lets you carry out access management that limits admission to different resources by username or role.
Virtual private networks (VPNs) are another important tool when it comes to network security. These use encryption to let you connect securely to resources – whether publicly accessible or not – over unsecured networks.
When it comes to AWS cloud security, you also have the option of enabling secure network connections between on-premises locations and your cloud environment. AWS Direct Connect provides a low-latency private link between resources using the communication networks of AWS partners, rather than the public internet. For additional security, you can encrypt your traffic over Direct Connect using a VPN or MacSec.
A recent addition to AWS Direct Connect is a feature called SiteLink. This lets you transfer sensitive data using the AWS backbone and different AWS Direct Connect sites. So, for example, instead of having to provision your own link between two on-premises data centres, you can connect them easily using AWS Direct Connect and SiteLink. This enables fast, low-latency interconnections without the need to use the internet or a third-party network service, making it ideal for organisations that need to share data between locations while complying with strict data privacy and security regulations.
Another one of the newer AWS networking services is AWS Cloud WAN. It’s not available everywhere yet, but it provides a single centralised dashboard that lets you easily connect different network attachments, sites and regions around the globe using the AWS backbone. Using the dashboard, you’ll have complete visibility into the health, security and performance of all of your networks – on premises and in the cloud.
However far along you are on your cloud migration journey, AWS provides great guidance and documentation about best practices so you can keep your network activity secure and compliant.
As a highly experienced AWS partner, we can provide you with guidance on the security groups and network access lists for perimeter security, centralise the traffic control with AWS Transit Gateway and AWS Network Firewall, help you protect your application’s edge with AWS Web Application Firewall and support you on securely connecting your current environments with one another and with AWS. And if you are a global, multi-region company, we can help you set up a global network using AWS Cloud WAN.
Learn more or get started today with the next step in your cloud journey with AWS cloud services.
Want to learn more? Look for all future blog posts that will go deeper into how to build a strong foundation for cloud modernisation. We'll focus on several key areas:
Choose an experienced partner for your cloud transformation. Find out how SoftwareOne can help you start on a strong cloud foundation and accelerate your results.
Choose an experienced partner for your cloud transformation. Find out how SoftwareOne can help you start on a strong cloud foundation and accelerate your results.
