Elastic network interfaces (ENIs) – Infrastructure Security – Keeping Your VPC secure

Elastic network interfaces (ENIs)

Acting as the virtual equivalent of a physical network card, ENIs provide your AWS resources, such as EC2 instances, with network connectivity within your VPC. Each ENI is equipped with attributes such as a primary private IP address, optional secondary IP addresses, Elastic IP addresses (if assigned), and a MAC address. They are secured using security groups, allowing granular control over inbound and outbound traffic to the resources they are associated with.

Security groups, NACLs, and AWS Network Firewall

Security groups, NACLs, and AWS Network Firewall are distinct and complementary mechanisms that filter network traffic at different levels of your VPC. In the Implementing security groups, NACLs, and AWS Network Firewall section, we will dive into these three mechanisms and provide practical insights and guidance on how to leverage them for maximum security.

VPC endpoints

VPC endpoints allow private connectivity between VPC-attached resources and supported AWS services. This means that VPC resources can access these AWS services without exposing network traffic to the public internet. VPC endpoints come in two varieties:

• Interface endpoints: These act as ENIs with private IP addresses from your subnet’s IP range, serving as the access point for traffic to AWS services. Utilizing AWS PrivateLink as the underlying technology, interface endpoints ensure private connectivity, enhancing security by allowing traffic to stay within the AWS network and supporting endpoint policies for granular IAM access control.
• Gateway endpoints: Created for specific AWS services such as Amazon S3 and Amazon DynamoDB, gateway endpoints integrate directly with your VPC’s route tables, facilitating direct service access. They are region-specific, cost-free, and offer similar security features as interface endpoints.

In both cases, traffic between your VPC and the AWS service does not leave the AWS network, providing a secure and efficient method of accessing services. In addition, IAM-based endpoint policies can be used to control which resources can use a VPC endpoint to access the AWS service. This provides an additional and more granular level of access control beyond traditional network security rules.