Task Statement 2.2: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
1. What Does “Security Between Network Boundaries” Mean?
In AWS, a network boundary is any point where traffic moves between:
- Different VPCs
- Different AWS accounts
- Different Regions
- AWS and on-premises networks
- Public internet ↔ private AWS resources
👉 Goal:
Control and protect traffic as it crosses these boundaries.
2. Why This Is Important (Exam Perspective)
You must ensure:
- Only authorized traffic is allowed
- Traffic is inspected and logged
- Networks are isolated
- Sensitive workloads are protected
Exam questions often test:
- Which AWS service to use
- Where to place security controls
- How to design layered security (defense in depth)
3. Core AWS Security Layers (Defense in Depth)
AWS uses multiple layers of security:
| Layer | Purpose |
|---|---|
| Network Layer | Control traffic flow |
| Instance Layer | Protect EC2 |
| Application Layer | Protect web apps |
| Edge Layer | Protect from internet threats |
4. Key AWS Services for Network Boundary Security
4.1 Security Groups (SG)
What They Are:
- Virtual firewalls attached to resources (e.g., EC2)
Key Features:
- Stateful
- Allow rules only (no deny rules)
Use Case:
- Allow app server to accept traffic only from web server
Exam Tips:
- Return traffic is automatically allowed
- Best for instance-level protection
4.2 Network ACLs (NACLs)
What They Are:
- Subnet-level firewalls
Key Features:
- Stateless
- Allow and deny rules
- Evaluated in order
Use Case:
- Block a specific IP range at subnet boundary
Exam Tips:
- Must allow both inbound and outbound
- Used for coarse-grained control
4.3 AWS Transit Gateway (TGW)
What It Does:
- Central hub connecting multiple VPCs and on-premises networks
Security Role:
- Segmentation using route tables
- Control which VPCs can talk to each other
Example:
- Production VPC cannot communicate with development VPC
Exam Tips:
- Use multiple route tables for isolation
- Acts as a network boundary control point
4.4 AWS Network Firewall
What It Is:
- Managed Layer 3–7 firewall
Features:
- Stateful inspection
- Deep packet inspection
- Domain filtering
- Intrusion prevention
Use Case:
- Inspect traffic between VPCs or outbound internet traffic
Deployment:
- Placed in a dedicated inspection VPC
Exam Tips:
- Used for centralized security inspection
- Works well with Transit Gateway
4.5 AWS Firewall Manager
What It Does:
- Centralized security policy management
Use Case:
- Apply rules across multiple accounts
Exam Tips:
- Works with:
- Security Groups
- WAF
- Network Firewall
4.6 AWS WAF (Web Application Firewall)
What It Protects:
- HTTP/HTTPS traffic
Features:
- Block SQL injection, XSS
- Rate limiting
Works With:
- Application Load Balancer (ALB)
- Amazon CloudFront
- API Gateway
Exam Tips:
- Protects application layer (Layer 7)
4.7 AWS Shield
Purpose:
- Protect against DDoS attacks
Types:
- Shield Standard (default)
- Shield Advanced (enhanced protection)
Exam Tips:
- Used at edge boundary (internet-facing)
4.8 AWS PrivateLink
What It Does:
- Private access to services without internet
Security Benefit:
- No exposure to public internet
Use Case:
- Secure communication between accounts
Exam Tips:
- Traffic stays inside AWS network
4.9 VPC Peering Security
Important Points:
- No transitive routing
- Must configure routes manually
Security Risk:
- Full connectivity unless restricted by SG/NACL
Exam Tips:
- Use SGs to restrict traffic
4.10 AWS Direct Connect & VPN Security
Used For:
- Hybrid connectivity (on-prem ↔ AWS)
Security Controls:
- IPSec encryption (VPN)
- Routing control via BGP
- Use firewalls on both sides
5. Common Security Architectures
5.1 Centralized Inspection Architecture
Design:
- All traffic routed through a security VPC
Components:
- Transit Gateway
- AWS Network Firewall
Benefit:
- Central control and monitoring
5.2 Hub-and-Spoke Security Model
Design:
- Hub VPC = security services
- Spoke VPCs = workloads
Security:
- All traffic goes through hub for inspection
5.3 Zero Trust Model
Principle:
- Never trust any network automatically
Implementation:
- Strict SG rules
- Identity-based access
- Continuous verification
6. Traffic Control Techniques
6.1 Routing Control
- Use route tables to:
- Allow or block paths
- Force traffic through firewall
6.2 Segmentation
Types:
- VPC-level isolation
- Subnet-level segmentation
Example:
- Separate:
- Web tier
- App tier
- Database tier
6.3 Traffic Inspection
- Use:
- AWS Network Firewall
- Third-party appliances
6.4 Logging and Monitoring
Tools:
- VPC Flow Logs
- CloudWatch
- AWS CloudTrail
Purpose:
- Detect suspicious activity
7. Cross-Account Security
Challenges:
- Multiple teams
- Different policies
Solutions:
1. AWS Organizations
- Central governance
2. Resource Access Manager (RAM)
- Share resources securely
3. Firewall Manager
- Enforce policies across accounts
8. Best Practices (Exam Critical)
1. Use Defense in Depth
- Combine SG + NACL + Firewall
2. Centralize Security Controls
- Use Transit Gateway + Network Firewall
3. Restrict Traffic Strictly
- Least privilege principle
4. Avoid Public Exposure
- Use PrivateLink instead of public endpoints
5. Enable Logging Everywhere
- Flow logs, CloudTrail
6. Use Segmentation
- Separate environments (prod/dev/test)
7. Inspect East-West Traffic
- Traffic between VPCs must be controlled
9. Common Exam Scenarios
Scenario 1:
Question: Secure traffic between VPCs across accounts
✅ Answer:
- Transit Gateway + Network Firewall + SG
Scenario 2:
Question: Inspect all outbound internet traffic
✅ Answer:
- Route through centralized firewall VPC
Scenario 3:
Question: Block malicious web requests
✅ Answer:
- AWS WAF
Scenario 4:
Question: Private communication between services
✅ Answer:
- PrivateLink
Scenario 5:
Question: Protect from DDoS
✅ Answer:
- AWS Shield
10. Key Differences (Very Important for Exam)
| Feature | Security Group | NACL |
|---|---|---|
| Type | Stateful | Stateless |
| Rules | Allow only | Allow & Deny |
| Level | Instance | Subnet |
| Evaluation | All rules | Ordered rules |
11. Final Summary
To secure network boundaries in AWS:
- Use Security Groups for instance-level protection
- Use NACLs for subnet-level filtering
- Use Transit Gateway for centralized routing control
- Use AWS Network Firewall for deep inspection
- Use WAF & Shield for internet-facing protection
- Use PrivateLink for private connectivity
- Apply segmentation, routing control, and monitoring
