Improve Your Network Security Posture With Amazon VPC Network Access Analyzer

1. Introduction to VPC Network Access Analyzer

VPC Network Access Analyzer is used to specify the desired connection between our AWS resources. We can use scopes created by Amazon, create a new scope from scratch, or copy or customize the existing scope.

Network Access Analyzer can help us to verify the following requirements:

1. Network Segmentation
2. Internet Accessibility
3. Trusted Network Path
4. Trusted Network Access

2. Overview of VPC Network Access Analyzer:

Source: amazon.docs

Network Access Analyzer uses automated inference algorithms to analyze the network paths that packets can follow between resources on our AWS network. It then produces the results for the path that corresponds to the customer-defined network access area. It performs a static analysis on our network configuration. That is, no packets are sent within the network as part of this analysis. Network Access Analyzer only considers the network conditions described in the network configuration, so packet loss due to temporary network interruptions or service outages is not included in this analysis.

3. Supported Source and Destination Resources in Findings:

Network Access Analyzer finding is a network path that a packet can take in a network. Network Access Analyzer can only produce findings for network paths that start or end at the following types of resources:

1. Network Interfaces
2. VPC Interface Endpoints
3. VPC Service Endpoints
4. Virtual Private Gateways
5. Internet Gateways
6. Transit Gateway Attachments
7. VPC gateway endpoints
8. VPC peering connections

4. Supported Path Resources in Findings:

A Network Access Analyzer network path can pass through multiple resources from the start to the end of the network path.

1. Internet gateways
2. Load balancers (except for Gateway Load Balancers)
3. NAT gateways
4. Network ACLs
5. Network firewalls
6. Network interfaces
7. VPC route tables
8. Security groups
9. Target groups
10. Transit gateway route tables
11. Transit gateway attachments
12. VPC interface endpoints
13. VPC gateway endpoints
14. VPC endpoints services
15. VPC peering connections
16. Virtual private gateways

5. Challenges of using Amazon VPC Network Access Analyzer:

1. Internet Gateway and Virtual Private Gateways
2. Application Load Balancer
3. Network Load Balancer
4. Network Firewall
5. Amazon VPC Transit Gateways
6. IPv4 Only

6. Pricing:

There is no additional charge for creating VPC. We only must pay for optional VPC capabilities as per our usage.

We need to pay $0.002 for network assessment analyzed by Network Access Analyzer.

7. Regions Supported:

Network Access Analyzer is available in the following regions only:

US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Stockholm), South America (São Paulo), and Middle East (Bahrain)

8. Step-by-Step Guide for working with Network Access Analyzer:

a. To get started, log in to AWS Management Console and select VPC.

b. Select Network Access Analyzer from Network Analysis.

c. Click on Get Started; you will see pre-configured Network Access Scopes. Click on Create Network Access Scope to create a new scope.

d. Select a template to work with. We will select Empty Template and click Next.

e. Enter the name of the scope and its description.

f. Select Source and Destination by resource id or type.

We can add multiple match conditions by clicking on Add match condition.

g. Add Tags and click on Next.

h. Now review and click on Create Network Access Scope.

i. Select the scope and click on Analyze

j. You can see the analysis report in the Latest analysis, and we can also see the Past analysis.

9. Sample Reports:

In our Last Analysis tab, we can see the Last analysis result, it will show No findings detected if we don’t get any issues. If we encounter any issue, we will get the Findings detected in the Last analysis result.

Findings:

Findings details:

Filter the details by selecting the inner rings of the chart.

10. Conclusion:

Amazon VPC Network Access Analyzer examines a wide range of AWS resources like Security Groups, Prefix lists, EC2 Instances, AWS Load Balancer, VPC, NAT Gateways, Transit Gateways, and Internet Gateways, VPN Gateways, Peering Connections, Network Firewall, VPC Endpoints, VPC Endpoints Services VPC Subnets. We can use Network Access Analyzer to understand, verify and improve our network security or demonstrate compliance.

11. About CloudThat:

CloudThat is the official AWS Advanced Consulting Partner, Microsoft Gold Partner, and Training partner helping people develop knowledge on the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

If you have any queries about or anything related to AWS services, feel free to drop in a comment. We will get back to you quickly. Visit our Consulting Page for more updates on our customer offerings, expertise, and cloud services.

12. FAQs:

1. Why do need a Network Access Analyzer?
   Amazon VPC Network Access Analyzer helps us to identify unintended network access to our resources on AWS. With Network Access Analyzer, we can verify whether network access for our VPC resources meets our security and compliance guidelines. Network Access Analyzer can assess and identify improvements to our cloud security posture.
2. What is ‘Findings’ in Network Access Analyzer?
   A single Network Access Analyzer scope analysis will produce at most 100 findings. Network Access Analyzer makes a best-effort attempt to return a diverse, representative set of findings from among all possible findings. It does not ensure that the same findings will be produced if the same Network Access Scope is re-analyzed in the same network. Network Access Analyzer might produce new findings for existing Network Access Scope analyses if new configurations are supported in the future.

WRITTEN BY Rahul Kumar Sharma