Secure your VPC’s outbound network traffic in the AWS Cloud

Kirankumar Chandrashekar and Abdal Garuba, Amazon Web Services (AWS)

November 2022 (document history)

This guide covers best practices for securing and monitoring outbound network traffic when using Amazon Virtual Private Cloud (Amazon VPC). It also describes AWS tools that can help you monitor outbound network traffic from elastic network interfaces and virtual private clouds (VPCs) in the AWS Cloud.

Note

This guide doesn’t cover third-party tools that can integrate with AWS to provide additional layers of security. It also assumes a cloud-only architecture. This guide doesn’t apply to hybrid architectures.

The following best practices are outlined in this guide:

Determining your VPC’s security requirements by analyzing existing traffic patterns
Restricting a VPC’s outbound traffic by using security groups
Restricting a VPC’s outbound traffic by using AWS Network Firewall and DNS hostnames
Accessing AWS resources by using VPC endpoints
Establishing private connectivity between internal applications by using AWS PrivateLink
Communicating across VPCs and AWS Regions by using VPC peering or AWS Transit Gateway

Note

For the best possible security posture, you can also pass outbound traffic through a dedicated path to a filtering tool, such as a firewall appliance.

Targeted business outcomes

This guide helps you do the following:

Control and monitor your VPC’s outbound network traffic.
Make sure that traffic between your AWS resources passes through secure, private routes that are controlled by the AWS backbone network.
Implement AWS tools to continuously monitor outbound network traffic and stop requests to unapproved endpoints.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Determining your VPC’s security requirements