Elastic Security

Icon

Security for the Cloud

April 19, 2011 • 21:48 0

Amazon Security Groups: VPC vs EC2

Amazon has updated Security Groups for Amazon VPC

Earlier  in April, while adding support for Security Groups within Amazon VPC, Amazon also introduced some major changes such as:

  • outbound filtering
  • fine grained IP protocol tuning
  • ability to apply changes in a one fell swoop

But I found very interesting the fact that we can now change (add/remove) the Security Groups for a running instance. As a customer of AWS, I really love to be able to modify my Security Groups without stopping any instance. I could now start an instance without a deep analysis of what my VPC network will be, and I can adapt it at any time with a minimal impact on the availability of the services my customers are consuming. In my point of view this is a major achievement, because I can adapt my security perimeter on the fly.

I still have some open questions:

In terms of security, I ‘m wondering if the opened/established connection are dropped if I modify my Security Group rule or if I remove it?

Moreover, AWS added NACL (Network Access Control List), which allow now to create DENY firewalling rule. But this seems requiring an internet gateway (VPC specific). This sounds like Amazon was not able to add ACCEPT/DENY options to the Security Group rules even if they added Inbound/Outbound options.

Here is AWS blog-post for more information:  A New Approach to Amazon EC2 Networking

Amazon EC2: public cloud

Unfortunately, I’m not a VPC user, but a EC2 user and it’s a bit frustrating that these brand new features are not available in outside VPC. I’m wondering, if there are any reason why not adding these features to Amazon EC2.

Concerning the Outbound filtering, I can’t see any reason why not adding it for EC2. I would love to hear more about this.

Last, but not least thing that can be discussed is the “one fell swoop” feature. I think this is a step back to true elasticity. Previously, I just had to create a rule and then the rule is automatically and dynamically applied, now I have to build the rule and then apply it just like with a traditional firewall.

/fred

Filed under: AWS, Cloud Computing, , , , , , ,

April 3, 2011 • 10:53 0

Presentation at CloudOps

Videos and slides from the CloudOps Summit in Frankfurt are available online.

Here is the video of our Elastic Detector pitch.

Don’t hesitate to contact us if you have questions or if you are interested in a free trial.

Filed under: Internals, Presentations, ,

Twitter Updates

Follow

Get every new post delivered to your Inbox.