Skip to main content

AWS Solutions Library

Guidance for Network Security on AWS

Protect your workloads by using cloud security services for VPC isolation and firewall rules

Architecture Diagram

These technical details feature an architecture diagram to illustrate how to effectively use this solution. The architecture diagram shows the key components and their interactions, providing an overview of the architecture's structure and functionality step-by-step.

Download the architecture diagram

Additional Considerations

Building secure networks in the cloud is fundamentally different from building them in a private, on-premises environment. With secure networks in the cloud, the cloud provider handles certain tasks on your behalf, such as the management and governance of physical devices, their environment, or the security controls that surround them. You build and secure your network within a virtual environment and use identity and access controls that may span multiple workload boundaries to administer and secure access to your network. 

As such, it is important that organizational stakeholders who hold responsibility for your network security are familiar with the shared responsibility model between you and your cloud provider for securing your cloud environment. These stakeholders should know best practices for providing identity and access in addition to granting least privilege permissions across relevant workloads that your networks span. 
There are many cloud-native and third-party tools available to help you secure your network. Every organization's security requirements and level of compliance will differ. It is important to establish your security requirements and implement a baseline of controls across your networks as you consider which security tools to implement in your cloud environment. Requirements and compliance will also differ per application, so you must be able to add enhanced security controls on a case-by-case basis. 
You should account for traffic flow between your applications and clients and how your requirements will change based on locations between the clients. Consider how traffic should flow into the network, either through the internet, a virtual private network (VPN), or a dedicated connection. You must also determine how application layers will communicate with each other and other external dependencies, how traffic will egress from your network externally, and most importantly, how all these traffic flows need to be inspected and secured. Understanding your security responsibilities and requirements is critical for establishing your network security best practices and workflows in the cloud.

Related Content

Disclaimer

The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.