Networking & Content Delivery

Enhancing VPC Security with Amazon VPC Block Public Access

In the earliest days of Amazon Virtual Private Cloud (Amazon VPC), we thought customers would only ever need a single VPC. We’ve learned a lot since then. Today, the AWS Well-Architected Framework describes a single account with a single VPC as an anti-pattern. With a growing number of accounts and network paths in the AWS Cloud, customers and partners told us they wanted simple tools that help them understand and secure their cloud environments at scale.

AWS provides services and features that enable customers to implement detective, preventative, proactive, and responsive controls. Our investments in automated reasoning and provable security, for example, let you detect public Amazon Simple Storage Service (Amazon S3) buckets and identify unexpected internet access resulting from simple mistakes or misunderstandings. For preventative controls at scale, we’ve delivered features like Amazon S3 Block Public Access that make it simple to ensure your S3 objects are private.

Introducing Block Public Access for Amazon VPC

Today, we’re excited to introduce a powerful new feature that simplifies internet access control. Amazon VPC Block Public Access is a simple, declarative control that authoritatively blocks incoming (ingress) and outgoing (egress) VPC traffic through AWS provided internet paths. Amazon VPC Block Public Access enables customers to ensure compliance with their organization’s security and compliance requirements by centrally blocking AWS provided internet access to resources in your VPCs. When set to bidirectional block, all ingress and egress VPC traffic is denied. Amazon VPC Block Public Access supersedes any existing VPC settings to drop all traffic that would otherwise expose the internet through paths like an Internet Gateway (IGW) or Egress-Only Internet Gateway (EIGW).

But, what about the case where traffic from a VPC needs to access the internet?

NAT Gateways and EIGWs are commonly used to provide internet access to resources within a VPC without exposing them to inbound internet traffic. Customers told us they wanted a simple, reliable, and consistent approach to support this common architecture when using Amazon VPC Block Public Access. As an alternative to bidirectional block, Amazon VPC Block Public Access supports ingress-only block for these use cases. With ingress-only block, inbound internet traffic is authoritatively blocked, and egress traffic from a VPC is permitted only from NAT Gateways and EIGWs.

You can enable Amazon VPC Block Public Access per region on an AWS account, and we plan to support AWS Organizations soon.

Granular Control with Exclusions

We understand that some resources within a VPC may require bidirectional internet access. Or, you may have use cases, such as centralized traffic inspection, that require an egress-only internet path that Amazon VPC Block Public Access bidirectional or ingress-only block would otherwise reject. To address this need, Amazon VPC Block Public Access includes granular exclusion capabilities. Administrators can specify individual VPCs or subnets to exclude from Amazon VPC Block Public Access enforcement, allowing for targeted internet access where necessary. You can configure these exclusions to permit either all (bidirectional) or only outbound (egress-only) internet access. Like ingress-only block, when you allow an egress-only exclusion, egress traffic from a VPC or subnet is permitted only from NAT Gateways and EIGWs.

Let’s dive deeper into how Amazon VPC Block Public Access works and explore its key capabilities.

Understanding Amazon VPC Block Public Access

To demonstrate Amazon VPC Block Public Access, I’ve created the simple, dual-stack (IPv4 and IPv6) VPC architecture. There are two public subnets, two private subnets, NAT Gateways, an EIGW, and an IGW. The public subnets have a default route to the IGW. The private subnets have an IPv4 default route to the NAT Gateways in the same Availability Zone, and they have an IPv6 default route to the EIGW. I’ve deployed an internet-facing Application Load Balancer (ALB) in the public subnets that listens for HTTP. The ALB passes inbound internet traffic to the web servers in the private subnets.

Figure 1: Simple, dual-stack VPC architecture

Figure 1: Simple, dual-stack VPC architecture

Before I enable Amazon VPC Block Public Access, I’m able to access the web servers, through the ALB, from the internet. I’m also able to ping the AWS homepage while logged into a web server, accessing the internet through the NAT Gateways for IPv4 and the EIGW for IPv6.

Figure 2: Browser window showing "Hello, World!"

Figure 2: Browser window showing “Hello, World!”

Figure 3: Successful outbound pings over IPv4 and IPv6

Figure 3: Successful outbound pings over IPv4 and IPv6

I want to configure Amazon VPC Block Public Access to allow all traffic (bidirectional) to and from only my public subnets. However, I don’t want my website to become unavailable when I enable Amazon VPC Block Public Access. So, I set up exclusions for these subnets before enabling Amazon VPC Block Public Access.

I navigate to the VPC console, and:

  • Select Settings.
  • Then select the Block public access tab.
Figure 4: Amazon VPC Block Public Access tab

Figure 4: Amazon VPC Block Public Access tab

Next, I click on:

  • Create exclusions and specify that my two public subnets should allow all internet traffic (bidirectional).
  • Then, click on Create exclusions.
Figure 5: Creating exclusions for public subnets

Figure 5: Creating exclusions for public subnets

A few minutes later, the exclusions are Active.

Figure 6: Active exclusions for public subnets

Figure 6: Active exclusions for public subnets

Now, I’m ready to activate Amazon VPC Block Public Access. However, I want to make sure I understand what will happen when I enable the feature. So, I click on the link to Create Network Access Scope, and I use Network Access Analyzer to determine the currently allowed AWS provided internet paths. Using two Exclusion conditions, I filter the public subnets as either a source or destination for internet traffic. We know traffic to these subnets is allowed by the exclusions.

Figure 7: Network Access Analyzer results

Figure 7: Network Access Analyzer results

The analysis shows that the WebServers can accept and respond to internet traffic through the ALBs, and they can initiate outbound (egress) internet traffic through the NAT Gateways. Recall that the private subnets also have an IPv6 default route to the EIGW, and I’ve made no Amazon VPC Block Public Access exclusion for the private subnets. As a result, I expect Amazon VPC Block Public Access to reject egress IPv6 traffic from the WebServers.

I go back to the Block Public Access tab, and click:

  • Edit public access settings.
  • Check the box to Turn on block public access, and set the behavior to block all internet traffic (bidirectional).
  • Click Save changes.
Figure 8: Turn on block public access with bidirectional block

Figure 8: Turn on block public access with bidirectional block

A few minutes later, the Public access settings show a Status of On.

Figure 9: Block public access is on

Figure 9: Block public access is on

To verify, I check whether I can get to the WebServers, through the ALB, from the internet. The “Hello, World!” page successfully returns. Going back to the WebServer, I’m able to ping the AWS homepage through the NAT Gateways and IGW over IPv4, as confirmed by the results from Network Access Analyzer. As expected, I am not able to ping the AWS homepage over IPv6.

Figure 10: Successful outbound pings over IPv4; Outbound IPv6 pings fail

Figure 10: Successful outbound pings over IPv4; Outbound IPv6 pings fail

Looking at VPC flow logs, which were previously enabled on the private subnets, I can see the IPv6 traffic is denied. The first line (ACCEPT) indicates that the packets were allowed by the security group on the network interface and the network ACL on the subnet. However, Amazon VPC Block Public Access blocked the traffic (REJECT). If I had setup a custom format in VPC flow logs, I could have included the reject-reason field, which would show BPA as the reason for blocking the traffic.

Figure 11: VPC flow logs with ACCEPT followed by REJECT

Figure 11: VPC flow logs with ACCEPT followed by REJECT

To enable IPv6 outbound traffic from the private subnets through the EIGW, I add a new exclusion. This exclusion is egress-only, matching the traffic flow direction through the EIGW.

Figure 12: Creating exclusions for private subnets

Figure 12: Creating exclusions for private subnets

After a few minutes, the exclusion is Active. Returning to the WebServer, I’m able to ping the AWS homepage, through the EIGW, over IPv6 again.

Figure 13: Successful outbound pings over IPv6

Figure 13: Successful outbound pings over IPv6

As a last action, I delete all of the exclusions. Without exclusions, all internet traffic is blocked for this VPC.

Figure 14: Deleting exclusions

Figure 14: Deleting exclusions

As expected, the ALB is no longer accessible, and the WebServers cannot initiate outbound traffic.

Figure 15: Browser window showing "The connection has timed out"

Figure 15: Browser window showing “The connection has timed out”

I go back to the Block Public Access tab and click Edit public access settings. I uncheck block public access, and click Save changes. A few minutes later, the Public access settings show a Status of Off. I’m again able to access the ALB, and to ping the AWS homepage over IPv4 and IPv6.

Some things to know

  1. Amazon VPC Block Public Access is stateful when used in ingress-only mode, or when allowing an egress-only exclusion. Return traffic for an allowed connection is automatically permitted. This behavior is analogous to security groups.
  2. When enabled, Amazon VPC Block Public Access impacts new and existing network connections.
  3. There is a default limit of 50 exclusions for Amazon VPC Block Public Access. Limit increases are available.
  4. When ingress-only block is enabled or egress-only exclusions are permitted, only NAT Gateways and EIGWs allow egress from a VPC.
  5. Amazon VPC Block Public Access integrates with other services like Elastic Load Balancing and AWS Global Accelerator.
  6. AWS Client VPN and AWS Site-to-Site VPN are considered secure communication. They are excluded from Amazon VPC Block Public Access.

Conclusion

In this post, we discussed how customers told us they wanted a declarative control to manage internet access for their VPCs. With Amazon VPC Block Public Access, customers can manage which VPCs and subnets have access to Amazon provided internet that enables customers to ensure compliance with their organization’s security and compliance requirements by centrally blocking AWS provided internet access to resources in your VPCs. Get started today leveraging Network Access Analyzer and VPC flow logs to understand your traffic patterns so you can enable Amazon VPC Block Public Access. For more information, review the Amazon VPC Block Public Access documentation.

About the authors

Alan Halachmi

Alan Halachmi

Alan is a Director of Solutions Architecture supporting the public sector. He works with government, education, healthcare, and non-profit organizations around the globe to drive disruptive innovation using the AWS Cloud.