๐ AWS Network Stackยถ
AWS Network Stack Componentsยถ
This document describes the key AWS networking components used in the Unibeam production environment, focusing on AWS Network Firewall, Route 53 Private Hosted Zones, and Security Groups. These elements work together to secure, segment, and control traffic within and between clusters, VPCs, and external services.
TOCยถ
- ๐ก๏ธ AWS Network Stack Components
- TOC
- ๐ฅ AWS Network Firewall
- ๐ Route 53 Private Hosted Zones
- ๐ Security Groups
- ๐ Summary Table
AWS Network Firewallยถ
AWS Network Firewall is deployed to enforce advanced traffic filtering and segmentation for both DMZ and workload VPCs. It uses multiple stateful rule groups defined in Terraform, including:
- Domain Allowlist: Only allows outbound HTTP/S traffic to trusted domains (e.g., .amazonaws.com, .github.com, us.unibeam.com, etc.).
- Suricata Stateful Rules: Custom Suricata rules for protocol-specific filtering, including SIM service traffic, DNS, NTP, HTTPS, SMTP, and SMSC ports.
- DMZ and Workload Segmentation: Separate policies for DMZ and workload VPCs, ensuring only approved traffic flows between environments and to the internet.
Example Rule Highlights:
- Allow DNS, NTP, HTTPS, and SMTP outbound from workloads.
- Restrict egress to only approved ports and domains.
- Explicit allow rules for SMSC traffic to AT&T IPs and ports.
- Default drop/reject for all other traffic.
Reference
See firewall-rules-wl.tf, firewall-rules-dmz.tf, and firewall-policy.tf for full rule definitions.
Route 53 Private Hosted Zonesยถ
Route 53 is used to manage DNS resolution within the AWS environment. The private hosted zone ensures that internal services (such as EKS clusters, databases, and monitoring endpoints) are only resolvable within the VPCs, preventing external DNS leaks and improving security.
- Purpose: Internal DNS for service discovery, load balancers, and private endpoints (e.g., Atlas MongoDB, Redis, Loki, etc.).
- Integration: Used by EKS clusters and other workloads for secure, private name resolution.
DNS Security
Private zones prevent exposure of sensitive service endpoints to the public internet and ensure that only authorized resources within the VPC can resolve internal domains.
Security Groupsยถ
Security Groups act as virtual firewalls for EC2 instances, load balancers, and other resources. They are tightly controlled via Terraform and are region-aware, supporting both east and west clusters.
Key Security Group Roles:
- EKS Peering SG: Allows HTTPS traffic between east-west worker subnets and VPN subnets for cluster peering.
- Internal ALB SGs: Restrict access to internal load balancers to only VPN subnets and authorized sources.
- External ALB SGs: Allow public HTTPS/HTTP access for APIs, dashboards, and MNO services.
- Atlas MongoDB SG: Restricts MongoDB connections to only EKS worker subnets via private link.
- Mikrotik IPSEC SG: Manages IPSEC, SMSC, and management access for DMZ VPC, including dynamic rules for AT&T IPs and ports.
Rule Highlights:
- Ingress rules are specific to source CIDRs (subnets, VPNs, or public internet) and ports (e.g., 443 for HTTPS, 22 for SSH, 17600/2775 for SMSC).
- Egress rules restrict outbound traffic to only necessary destinations and ports.
- Dynamic rules ensure that only approved subnets and external IPs can communicate with sensitive resources.
Reference
See security_groups.tf, security_groups_mikrotik.tf, security_groups_atlas.tf, and security_group_wg.tf for full security group definitions.
Summary Tableยถ
| Component | Purpose | Example Rules/Config |
|---|---|---|
| Network Firewall | Stateful traffic filtering, segmentation | Allowlist domains, Suricata rules |
| Route 53 Private Zone | Internal DNS resolution, service discovery | Zone ID |
| Security Groups | Resource-level traffic control (ingress/egress) | HTTPS, SSH, SMSC, IPSEC, ALB access |
Security Best Practices
Always review firewall and security group rules for least privilege, and regularly audit DNS zones to ensure no sensitive endpoints are exposed externally.