Task Statement 4.1: Implement and maintain network features to meet security and compliance needs and requirements.
📘AWS Certified Advanced Networking – Specialty
1. What is Inbound Traffic in AWS?
Inbound traffic means any request or data coming from outside into your AWS environment.
Examples:
- A user accessing a web application hosted on EC2
- API requests coming from the internet
- External systems connecting to AWS services
2. Why Securing Inbound Traffic is Critical
If inbound traffic is not secured:
- Attackers can exploit vulnerabilities
- Applications can be overwhelmed (DDoS attacks)
- Sensitive data can be exposed
- Unauthorized users can gain access
Goal:
Allow only valid, safe, and expected traffic, and block everything else.
3. AWS Layers of Inbound Traffic Security
Inbound traffic security in AWS is implemented in multiple layers:
Layer 1: Edge Protection
- AWS Shield
- AWS WAF
- Amazon CloudFront
Layer 2: Network-Level Protection
- AWS Network Firewall
- Security Groups
- Network ACLs
Layer 3: Application-Level Protection
- Authentication and validation inside applications
4. AWS Shield (DDoS Protection)
What is AWS Shield?
AWS Shield protects against Distributed Denial of Service (DDoS) attacks.
Types of AWS Shield
1. AWS Shield Standard (Free)
- Automatically enabled for all AWS customers
- Protects against:
- SYN/UDP floods
- Reflection attacks
- Works with:
- Elastic Load Balancers
- CloudFront
- Route 53
2. AWS Shield Advanced (Paid)
- Provides enhanced protection
- Features:
- Real-time attack detection
- Detailed attack reports
- Integration with AWS WAF
- 24/7 access to AWS DDoS Response Team (DRT)
- Cost protection (prevents scaling charges during attacks)
Key Exam Points
- Shield works at Layer 3 and Layer 4 (network level)
- Automatically protects AWS infrastructure
- Best combined with WAF for full protection
5. AWS WAF (Web Application Firewall)
What is AWS WAF?
AWS WAF protects web applications from malicious HTTP/HTTPS traffic.
Where AWS WAF is Used
- CloudFront
- Application Load Balancer (ALB)
- API Gateway
How AWS WAF Works
It uses rules to inspect requests:
- Allow
- Block
- Count (monitor only)
Types of WAF Rules
1. Managed Rules
- Pre-built by AWS or partners
- Protect against:
- SQL injection
- Cross-site scripting (XSS)
- Common vulnerabilities
2. Custom Rules
- Based on:
- IP address
- HTTP headers
- URI paths
- Query strings
3. Rate-Based Rules
- Limit requests from a single IP
- Useful for:
- Preventing brute-force attacks
- Controlling traffic spikes
Important Features
- Web ACL (Access Control List)
- Rule priority (order matters)
- Logging via CloudWatch or S3
Key Exam Points
- Works at Layer 7 (application layer)
- Filters HTTP/HTTPS traffic only
- Often used with CloudFront and ALB
- Can block specific attack patterns
6. AWS Network Firewall
What is AWS Network Firewall?
A managed firewall service that protects your VPC at the network level.
Where It Operates
- Inside a VPC
- Deployed in dedicated subnets
Key Capabilities
1. Stateful Inspection
- Tracks active connections
- Allows return traffic automatically
2. Stateless Rules
- Fast filtering based on:
- IP
- Port
- Protocol
3. Deep Packet Inspection
- Inspects traffic content
- Detects malicious patterns
4. Domain Filtering
- Allow/block traffic based on domain names
Traffic Flow with Network Firewall
- Traffic enters VPC
- Routed to firewall endpoint
- Evaluated by rules
- Allowed or blocked
Integration
- Works with:
- Route Tables
- Transit Gateway
- VPC routing
Key Exam Points
- Operates at Layer 3–7
- Centralized network security control
- Useful for east-west and north-south traffic
7. Security Groups vs Network ACLs (Inbound Focus)
Security Groups (SG)
- Instance-level firewall
- Stateful:
- Return traffic automatically allowed
- Only allow rules (no deny rules)
Example Use:
- Allow HTTP (port 80) from internet
- Allow SSH only from admin IP
Network ACLs (NACLs)
- Subnet-level firewall
- Stateless:
- Must define both inbound and outbound rules
- Supports:
- Allow rules
- Deny rules
Example Use:
- Block a malicious IP range
- Allow only specific ports
Key Differences
| Feature | Security Group | NACL |
|---|---|---|
| Level | Instance | Subnet |
| Stateful | Yes | No |
| Allow/Deny | Allow only | Allow & Deny |
| Rule Evaluation | All rules | Ordered rules |
8. Typical Secure Inbound Architecture
A well-secured AWS inbound flow typically looks like:
- Route 53
- DNS resolution
- CloudFront
- Content delivery + edge protection
- AWS Shield
- DDoS protection
- AWS WAF
- Filters malicious HTTP requests
- Application Load Balancer
- Distributes traffic
- Security Groups
- Control instance-level access
- AWS Network Firewall
- Deep inspection at VPC level
9. Best Practices for Securing Inbound Traffic
1. Use Defense in Depth
- Combine:
- Shield + WAF + Network Firewall + SG + NACL
2. Minimize Exposure
- Allow only required ports and IPs
- Avoid open access (0.0.0.0/0) unless necessary
3. Use Managed Rules in WAF
- Protect against common threats quickly
4. Enable Logging and Monitoring
- CloudWatch
- VPC Flow Logs
- WAF logs
5. Use Rate Limiting
- Prevent abuse and traffic spikes
6. Centralize Security Controls
- Use Network Firewall or centralized inspection VPC
7. Protect Public Endpoints
- Always place WAF in front of:
- ALB
- API Gateway
10. Exam Tips (Very Important)
- AWS Shield
- Protects against DDoS (L3/L4)
- Standard = free, Advanced = extra features
- AWS WAF
- Protects web apps (L7)
- Blocks SQL injection, XSS
- Works with CloudFront, ALB, API Gateway
- Network Firewall
- VPC-level firewall
- Stateful + stateless filtering
- Deep packet inspection
- Security Groups
- Stateful, instance-level
- NACLs
- Stateless, subnet-level
11. Quick Summary
To secure inbound traffic in AWS:
- Use AWS Shield to stop DDoS attacks
- Use AWS WAF to filter malicious web requests
- Use AWS Network Firewall for deep network inspection
- Use Security Groups and NACLs for fine-grained access control
- Apply layered security (defense in depth)
