Profile Applicability:

  • Level 1

Description:

Amazon VPC Interface Endpoints (powered by PrivateLink) enable private connectivity between your VPC and supported AWS services, VPC endpoint services, or AWS Marketplace services. These endpoints use Elastic Network Interfaces (ENIs) to provide network connectivity to the services, ensuring private communication without using the public internet. This SOP ensures that VPC Interface Endpoints are deployed with ENIs in more than one subnet for high availability and fault tolerance.

Rationale:

Deploying ENIs for VPC Interface Endpoints in multiple subnets across different Availability Zones (AZs) ensures high availability. If one subnet or AZ fails, traffic can be routed through the other subnets with active ENIs, reducing the risk of service disruption. This setup is essential for maintaining fault tolerance and ensuring that your services remain accessible even in the event of failures within a specific AZ or subnet.

Impact:

Pros:

  • High Availability: Distributes ENIs across multiple subnets and AZs, ensuring that if one subnet becomes unavailable, the endpoint remains accessible through other subnets.

  • Fault Tolerance: Reduces the risk of losing access to services due to failures in specific AZs or subnets.

  • Improved Resilience: Helps meet the availability requirements of critical services in production environments.

Cons:

  • Increased Complexity: Additional configuration may be required to manage ENIs across multiple subnets and AZs.

  • Costs: Additional ENIs in multiple subnets could increase the costs associated with VPC resources.

Default Value:

By default, VPC Interface Endpoints are created with ENIs in a single subnet. To enhance fault tolerance, it is best practice to place ENIs in more than one subnet, ideally across different AZs.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeVpcEndpoints

    • ec2:DescribeSubnets

    • ec2:CreateVpcEndpoint

    • ec2:ModifyVpcEndpoint

  • AWS CLI installed and configured.

  • Basic knowledge of VPC, subnetting, Elastic Network Interfaces (ENIs), and PrivateLink.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC under Services.

  3. In the VPC Dashboard, select Endpoints under the PrivateLink section.

  4. Select the desired Interface Endpoint and check the ENIs associated with it.

    • Ensure that the ENIs are present in more than one subnet across different Availability Zones (AZs).

  5. Review the subnet and AZ associations for each ENI to confirm high availability.

Using AWS CLI:

To describe the VPC Interface Endpoint and check the ENI distribution across subnets, run the following command:

aws ec2 describe-vpc-endpoints --query 'VpcEndpoints[*].{Id:VpcEndpointId,ENIs:NetworkInterfaceIds}'

To check the subnets for each ENI, run:

aws ec2 describe-network-interfaces --network-interface-ids <eni-id> --query 'NetworkInterfaces[*].{SubnetId:SubnetId,AvailabilityZone:AvailabilityZone}'

Review the output to ensure that the ENIs are associated with subnets in multiple Availability Zones.


Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to VPC.

  2. Go to the Endpoints section and select the VPC Interface Endpoint you wish to modify or check.

  3. Review the Network Interface section to check which subnets the ENIs are deployed in.

  4. If the ENIs are not in multiple subnets, click Modify Endpoint and add additional subnets from different Availability Zones to the endpoint configuration.

  5. Ensure that the route tables are properly configured to allow traffic to the VPC endpoint from multiple subnets.

Using AWS CLI:

To create a new VPC Interface Endpoint with ENIs in multiple subnets, run:

aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name <service-name> --vpc-endpoint-type Interface --subnet-ids <subnet-id-1> <subnet-id-2> --security-group-ids <security-group-id>

If modifying an existing VPC Endpoint to include ENIs in additional subnets, use the following command:

aws ec2 modify-vpc-endpoint --vpc-endpoint-id <vpc-endpoint-id> --add-subnet-ids <subnet-id-3> <subnet-id-4>

Verify the updated ENI configuration by running:

aws ec2 describe-vpc-endpoints --query 'VpcEndpoints[*].{Id:VpcEndpointId,ENIs:NetworkInterfaceIds}'

Backout Plan:

If creating or modifying VPC Interface Endpoints results in issues:

Identify the affected VPC Endpoint and ENIs.

Remove the newly added subnets from the endpoint configuration:

aws ec2 modify-vpc-endpoint --vpc-endpoint-id <vpc-endpoint-id> --remove-subnet-ids <subnet-id-to-remove>

Delete the VPC Interface Endpoint if needed:

aws ec2 delete-vpc-endpoint --vpc-endpoint-id <vpc-endpoint-id>

Verify that the endpoint configuration is restored to its previous state and that the remaining ENIs are functioning correctly.

Note:

  • Ensure that security groups and route tables are appropriately configured for each subnet to enable smooth communication with the VPC Endpoint.

  • Monitor the health and performance of the VPC Interface Endpoint after the changes to confirm high availability and fault tolerance.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.