Some weeks ago, Amazon Web services announced VPC (Virtual Private Cloud) in a move to address security requirements for enterprise customers and to provide the missing link for hybrid deployments (although some questions remain especially concerning the technology behind their offer). Since we were recently suggesting a list of requirements for a cloud VPN, we want to take Amazon’s announcement as a reason to compare and match VPC features with this list.
The overall usecase Amazon is addressing is Communication between the internal network and the cloud. Here is the list (*):
Clientless: VPC uses IPSec which is supported by the majority of security gateways, so no need for the installation of a client VPN.
Centralized management: VPC configuration is provided by the Amazon API (although not yet integrated in the Amazon Console). Existing VPN Monitoring tools already used in the internal infrastructure should also be operational in the private part of the cloud.
Authentication and authorization features : Even if integration with security groups is not yet provided, they can be expected soon. Concerning authentication the method provided is IKE Security Association using Pre-Shared Keys. Role based access control is not provided by Amazon.
Integration with endpoint security: VPC targets the security of communication, not providing endpoint security. However, enterprises may deploy existing endpoint security products within the AMIs in the VPC.
Advanced logging and reporting: In our opinion, this is the Achilles’ heel of AWS – and VPC is no better. No information is provided at the network and firewall level.
Support of different communication methods and devices: We do not know yet if multicast will one day be supported in EC2 and VPC. Concerning devices, Amazon announces that “We also plan to support Software VPNs in the near future.”
High availability: Only one VPC can be configured per AWS account for the moment. No elastic load balancing is available so it is up to the customers to construct their HA solution.
Static addressing: Today it is possible to specify a subnet, but the IP address is randomly picked within the subnet. You cannot use elastic IPs. These restrictions are expected to be dropped by amazon in the roadmap.
Conclusion: Even though there are a couple of requirements where VPC falls short, VPC is an important first step towards IaaS security and it will help customers to confidently move to the cloud. It lays the ground on which customers can built upon and extend their security architecture into the public cloud.