Amazon VPC Brief Analysis

Some weeks ago, Amazon Web services announced VPC (Virtual Private Cloud) in a move to address security requirements for enterprise customers and to provide the missing link for hybrid deployments (although some questions remain especially concerning the technology behind their offer). Since we were recently suggesting a list of requirements for a cloud VPN, we want to take Amazon’s announcement as a reason to compare and match VPC features with this list.

The overall usecase Amazon is addressing is Communication between the internal network and the cloud. Here is the list (*):

Clientless: VPC uses IPSec which is supported by the majority of security gateways, so no need for the installation of a client VPN.

Centralized management: VPC configuration is provided by the Amazon API (although not yet integrated in the Amazon Console). Existing VPN Monitoring tools already used in the internal infrastructure should also be operational in the private part of the cloud.

Authentication and authorization features : Even if integration with security groups is not yet provided, they can be expected soon. Concerning authentication the method provided is IKE Security Association using Pre-Shared Keys. Role based access control is not provided by Amazon.

Integration with endpoint security: VPC targets the security of communication, not providing endpoint security. However, enterprises may deploy existing endpoint security products within the AMIs in the VPC.

Advanced logging and reporting: In our opinion, this is the Achilles’ heel of AWS – and VPC is no better. No information is provided at the network and firewall level.

Support of different communication methods and devices: We do not know yet if  multicast will one day be supported in EC2 and VPC. Concerning devices, Amazon announces that “We also plan to support Software VPNs in the near future.”

High availability: Only one VPC can be configured per AWS account for the moment. No elastic load balancing is available so it is up to the customers to construct their HA solution.

Static addressing: Today it is possible to specify a subnet, but the IP address is randomly picked within the subnet. You cannot use elastic IPs. These restrictions are expected to be dropped by amazon in the roadmap.

Conclusion: Even though there are a couple of requirements where VPC falls short, VPC is an important first step towards IaaS security and it will help customers to confidently move to the cloud. It lays the ground on which customers can built upon and extend their security architecture into the public cloud.

(*) Green: works out of the box. Yellow: works partly or can be achieved with additional reasonable efforts of the customer. Red: not fulfilled.

One thought on “Amazon VPC Brief Analysis

  1. Pingback: Some Thoughts on Cloud Adoption « Elastic Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s