iCompaas Support

Profile Applicability:

• Level 1

Description:
 Network architecture planning ensures that the Amazon Aurora database instance is deployed within a well-designed, secure, and efficient network. This includes designing subnets, routing, internet gateways, and VPC peering to ensure proper isolation, optimal performance, and minimal exposure to external threats.

Rationale:
 Proper network architecture planning ensures that the Aurora instance is securely isolated, performs optimally, and is resistant to external threats. By strategically placing the Aurora database in private subnets, restricting access, and using appropriate routing, businesses can meet security, compliance, and performance objectives while minimizing attack surfaces.

Impact:
 Without a properly planned network architecture, the Aurora instance may be exposed to security vulnerabilities, performance bottlenecks, or inefficiencies in resource allocation. Poor network design can also lead to unnecessary exposure to the internet or unauthorized internal access.

Default Value:
 By default, Aurora instances are created within a VPC with a basic networking setup. Advanced configurations like VPC subnets, routing, and private IP addressing must be manually planned and implemented to ensure the database is optimally secured and performs well.

Pre-requisites:

• An AWS account with administrative access to configure VPC, subnets, routing tables, and other networking components.
  

• A clear understanding of networking concepts, such as IP addressing, subnets, routing, and VPC peering.
  

• A well-defined security and compliance policy for database access and network isolation.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to VPC > Subnets and ensure that the Aurora instance is deployed within a private subnet to limit direct internet exposure.
   

2. Verify that the Aurora instance is deployed in the correct availability zone and that the subnet has sufficient resources for the database workload.
   

3. Review the Route Tables and ensure that the routing is configured to direct traffic securely and efficiently between subnets.
   

4. Check the Internet Gateway configuration to ensure that only authorized traffic is routed through the public subnet.
   

5. Review VPC Peering connections to ensure that the database is only accessible from trusted VPCs and networks.
   

Using AWS CLI:

1. Run the following command to verify the VPC and Subnet configuration for the Aurora instance:
   

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, VpcSecurityGroups:VpcSecurityGroups, DBSubnetGroup:DBSubnetGroup}"

2. Check the Route Tables to ensure correct routing:
   

    aws ec2 describe-route-tables --query "RouteTables[].{RouteTableId:RouteTableId, Routes:Routes}"

3. Verify that the Aurora instance is located in a private subnet:
   

    aws ec2 describe-subnets --query "Subnets[].{SubnetId:SubnetId, AvailabilityZone:AvailabilityZone}"

4. Check for VPC Peering configurations:
   

    aws ec2 describe-vpc-peering-connections --query "VpcPeeringConnection[]"

Implementation Plan

Using AWS Console:

1. Go to VPC > Subnets, create private subnets for the Aurora instance, ensuring that they do not have direct access to the internet.
   

2. Create a VPC Peering connection between trusted VPCs if necessary for accessing the Aurora instance.
   

3. Update the Route Tables to ensure proper routing between subnets and VPCs. Configure private routes for internal communication and limit public access.
   

4. If required, configure NAT Gateways or Bastion Hosts to allow specific outbound internet traffic from private subnets.
   

5. Review Security Groups and NACLs to ensure that only authorized internal and external IP ranges can access the Aurora instance.
   

6. Apply the changes and verify that the Aurora instance is correctly isolated and performs optimally.
   

Using AWS CLI:

1. Create private subnets for the Aurora instance:
   

    aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block <private-cidr-block> --availability-zone <az-name>

2. Set up VPC Peering:
   

    aws ec2 create-vpc-peering-connection --vpc-id <vpc-id> --peer-vpc-id <peer-vpc-id> --peer-region <region>

3. Modify the Route Table for proper routing:
   

    aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <cidr-block> --gateway-id <gateway-id>

4. Configure a NAT Gateway for private subnets (if required):
   

    aws ec2 create-nat-gateway --subnet-id <subnet-id> --allocation-id <allocation-id>

5. Verify the Security Groups and NACLs to ensure proper access restrictions.
   

    aws ec2 describe-security-groups --group-ids <security-group-id>

6. Apply the changes and verify the Aurora instance's network configuration.

Backout Plan

Using AWS Console:

1. In VPC > Subnets, modify or delete the private subnets and revert them to public subnets if necessary.
   

2. Delete the VPC Peering connections if they need to be removed.
   

3. Update the Route Tables to remove private routes or change the routing to the default state.
   

4. Remove NAT Gateways or Bastion Hosts if no longer required.
   

5. Revert Security Groups and NACLs to their previous configurations, allowing broader access if required.
   

Using AWS CLI:

1. Delete the private subnets and revert to public subnets:
   

   aws ec2 delete-subnet --subnet-id <subnet-id>

2. Remove VPC Peering connections:
   

    aws ec2 delete-vpc-peering-connection --vpc-peering-connection-id <peering-connection-id>

3. Modify the Route Table to revert to default routing:
   

    aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block <cidr-block>

4. Remove NAT Gateway if needed:
   

    aws ec2 delete-nat-gateway --nat-gateway-id <nat-gateway-id>

5. Revert Security Groups and NACLs to the previous state.

References:

• Amazon VPC

• Networking RDS