# Block public access to VPCs and subnets
VPC Block Public Access (BPA) is a centralized security feature that enables you to authoritatively prevent public internet access to VPC resources across an entire AWS account, ensuring compliance with security requirements while providing flexibility for specific exceptions and audit capabilities.
The VPC BPA feature has the following modes:
+ **Bidirectional**: All traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets) is blocked.
+ **Ingress-only**: All internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded) is blocked. Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
You can also create "exclusions" for this feature for traffic you don't want to block. An exclusion is a mode that can be applied to a single VPC or subnet that exempts it from the account's VPC BPA mode and will allow bidirectional or egress-only access.
Exclusions can have either of the following modes:
+ **Bidirectional**: All internet traffic to and from the excluded VPCs and subnets is allowed.
+ **Egress-only**: Outbound internet traffic from the excluded VPCs and subnets is allowed. Inbound internet traffic to the excluded VPCs and subnets is blocked. This only applies when VPC BPA is set to Bidirectional.
**Topics**
+ [VPC BPA basics](security-vpc-bpa-basics.md)
+ [Assess impact of VPC BPA and monitor VPC BPA](security-vpc-bpa-assess-impact-main.md)
+ [Advanced example](security-vpc-bpa-example.md)
# VPC BPA basics
This section covers important details about VPC BPA, including which services support it and how you can work with it.
**Topics**
+ [Regional availability](#security-vpc-bpa-reg-avail)
+ [AWS service impact and support](#security-vpc-bpa-service-support)
+ [VPC BPA limitations](#security-vpc-bpa-limits)
+ [Control access to VPC BPA with an IAM policy](#security-vpc-bpa-iam-example)
+ [Enable VPC BPA bidirectional mode for your account](#security-vpc-bpa-enable-bidir)
+ [Change VPC BPA mode to ingress-only](#security-vpc-bpa-ingress-only)
+ [Create and delete exclusions](#security-vpc-bpa-exclusions)
+ [Enable VPC BPA at the Organization level](#security-vpc-bpa-exclusions-orgs)
## Regional availability
VPC BPA is available in all commercial [AWS Regions](https://aws.amazon.com//about-aws/global-infrastructure/regions_az/) including GovCloud and China Regions.
In this guide, you'll also find information about using Network Access Analyzer and Reachability Analyzer with VPC BPA. Note that Network Access Analyzer and Reachability Analyzer are not available in all commercial Regions. For information about the regional availability of Network Access Analyzer and Reachability Analyzer, see [Limitations](https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/how-network-access-analyzer-works.html#analyzer-limitations) in the *Network Access Analyzer Guide* and [Considerations](https://docs.aws.amazon.com/vpc/latest/reachability/how-reachability-analyzer-works.html#considerations) in the *Reachability Analyzer Guide*.
## AWS service impact and support
The following resources and services support VPC BPA and traffic to these services and resources is impacted by VPC BPA:
+ **Internet gateway**: All inbound and outbound traffic is blocked.
+ **Egress-only internet gateway**: All outbound traffic is blocked. Egress-only internet gateways do not allow inbound traffic.
+ **Gateway Load Balancer (GWLB)**: All inbound and outbound traffic is blocked unless the subnet containing GWLB endpoints is excluded.
+ **NAT gateway**: All inbound and outbound traffic is blocked. NAT gateways require an internet gateway for internet connectivity.
+ **Internet-facing Network Load Balancer**: All inbound and outbound traffic is blocked. Internet-facing Network Load Balancers require an internet gateway for internet connectivity.
+ **Internet-facing Application Load Balancer**: All inbound and outbound traffic is blocked. Internet-facing Application Load Balancers require an internet gateway for internet connectivity.
+ **Amazon CloudFront VPC Origins**: All inbound and outbound traffic is blocked.
+ **Direct Connect**: All inbound and outbound traffic that uses public virtual interfaces (public IPv4 or global unicast IPv6 addresses) is blocked. This traffic uses the internet gateway (or egress-only internet-gateway) for connectivity.
+ **AWS Global Accelerator**: Inbound traffic to VPCs is blocked, whether or not the target is otherwise accessible from the internet.
+ **AWS Network Firewall**: All inbound and outbound traffic is blocked even if the subnet containing firewall endpoints is excluded.
+ **AWS Wavelength carrier gateway**: All inbound and outbound traffic is blocked.
Traffic related to private connectivity, such as traffic for the following services and resources, is not blocked or impacted by VPC BPA:
+ AWS Client VPN
+ AWS CloudWAN
+ AWS Outposts local gateway
+ AWS Site-to-Site VPN
+ Transit gateway
+ AWS Verified Access
**Important**
If you are routing incoming and outgoing traffic through an appliance (such as a 3rd-party security or monitoring tool) running on an EC2 instance in a subnet, when using VPC BPA, that subnet needs to be an exclusion for traffic to flow in and out of it. Other subnets sending traffic to the appliance subnet and not to the internet gateway do not need to be added as exclusions.
Traffic sent privately from resources in your VPC to other services running in your VPC, such as the Route 53 Resolver, is allowed even when VPC BPA is turned on because it does not pass through an internet gateway in your VPC. It is possible that these services may make requests to resources outside of the VPC on your behalf, for example, in order to resolve a DNS query, and may expose information about the activity of resources within your VPC if not mitigated through other security controls.
If you have an internet-facing load balancer and you create a VPC BPA exclusion for only one of its subnets, the load balancer can still receive public traffic in the excluded subnet and route it privately to targets in subnets that are not excluded. To ensure VPC BPA fully blocks public access to your targets, make sure none of the load balancer subnets are excluded.
## VPC BPA limitations
VPC BPA ingress-only mode is not supported in Local Zones (LZs) where NAT gateways and egress-only internet gateways are not allowed.
## Control access to VPC BPA with an IAM policy
For examples of IAM policies that allow/deny access to the VPC BPA feature, see [Block public access to VPCs and subnets](vpc-policy-examples.md#vpc-bpa-example-iam).
## Enable VPC BPA bidirectional mode for your account
VPC BPA bidirectional mode blocks all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets). For more information about exclusions, see [Create and delete exclusions](#security-vpc-bpa-exclusions).
**Important**
We strongly recommend that you thoroughly review the workloads that require Internet access prior to enabling VPC BPA in your production accounts.
**Note**
To enable VPC BPA on the VPCs and subnets in your account, you must own the VPCs and subnets.
If you are currently sharing VPC subnets with other accounts, the VPC BPA mode enforced by the subnet owner applies to participant traffic as well, but participants can't control the VPC BPA settings that impact the shared subnet.
------
#### [ AWS Management Console ]
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. On the left navigation pane, choose **Settings**.
1. Choose **Edit public access settings**.
1. Choose **Turn on block public access** and **Bidirectional**, then choose **Save changes**.
1. Wait for the **Status** to change to **On**. It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
VPC BPA Bidirectional mode is now on.
------
#### [ AWS CLI ]
1. Turn on VPC BPA:
```
aws ec2 --region us-east-2 modify-vpc-block-public-access-options --internet-gateway-block-mode block-bidirectional
```
It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
1. View the status of VPC BPA:
```
aws ec2 --region us-east-2 describe-vpc-block-public-access-options
```
------
## Change VPC BPA mode to ingress-only
VPC BPA ingress-only mode blocks all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
------
#### [ AWS Management Console ]
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. On the left navigation pane, choose **Settings**.
1. Choose **Edit public access settings**.
1. Change the direction to **Ingress-only**.
1. Save the changes and wait for the status to be updated. It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
------
#### [ AWS CLI ]
1. Modify the VPC BPA block direction:
```
aws ec2 --region us-east-2 modify-vpc-block-public-access-options --internet-gateway-block-mode block-ingress
```
It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
1. View the status of VPC BPA:
```
aws ec2 --region us-east-2 describe-vpc-block-public-access-options
```
------
## Create and delete exclusions
A VPC BPA exclusion is a mode that can be applied to a single VPC or subnet that exempts it from the account’s VPC BPA mode and will allow bidirectional or egress-only access. You can create VPC BPA exclusions for VPCs and subnets even when VPC BPA is not enabled on the account to ensure that there is no traffic disruption to the exclusions when VPC BPA is turned on. An exclusion for a VPC automatically applies to all subnets in the VPC.
You can create a maximum of 50 exclusions. For information about requesting a limit increase, see *VPC BPA exclusions per account* in [Amazon VPC quotas](amazon-vpc-limits.md).
------
#### [ AWS Management Console ]
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. On the left navigation pane, choose **Settings**.
1. In the **Block public access** tab, under **Exclusions**, do one of the following:
+ To delete an exclusion, select the exclusion and then choose **Actions** > **Delete exclusions**.
+ To create an exclusion, choose **Create exclusions** and continue with the next steps.
1. Choose a block direction:
+ **Bidirectional**: Allows all internet traffic to and from the excluded VPCs and subnets.
+ **Egress-only**: Allows outbound internet traffic from the excluded VPCs and subnets. Blocks inbound internet traffic to the excluded VPCs and subnets. This setting applies when VPC BPA is set to **Bidirectional**.
1. Choose a VPC or subnet.
1. Choose **Create exclusions**.
1. Wait for the **Exclusion status** to change to **Active**. You may need to refresh the exclusion table to see the change.
The exclusion has been created.
------
#### [ AWS CLI ]
1. Modify the exclusion allow direction:
```
aws ec2 --region us-east-2 create-vpc-block-public-access-exclusion --subnet-id subnet-id --internet-gateway-exclusion-mode allow-bidirectional
```
1. It can take time for the exclusion status to update. To view the status of the exclusion:
```
aws ec2 --region us-east-2 describe-vpc-block-public-access-exclusions --exclusion-ids exclusion-id
```
------
## Enable VPC BPA at the Organization level
If you are using AWS Organizations to manage accounts in your organization, you can use an [AWS Organizations declarative policy](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_declarative.html) to enforce VPC BPA on the accounts in the organization. For more information about the VPC BPA declarative policy, see [Supported declarative policies ](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_declarative_syntax.html#declarative-policy-vpc-block-public-access) in the *AWS Organizations User Guide*.
**Note**
You can use the VPC BPA declarative policy to configure if exclusions are allowed, but you cannot create exclusions with the policy. To create exclusions, you still have to create them in the account that owns the VPC. For more information about creating VPC BPA exclusions, see [Create and delete exclusions](#security-vpc-bpa-exclusions).
If the VPC BPA declarative policy is enabled, in **Block public access** settings, you'll see **Managed by Declarative Policy** and you won't be able to modify VPC BPA settings at the account level.
# Assess impact of VPC BPA and monitor VPC BPA
This section contains information on you can assess the impact of VPC BPA before you turn it on and how you monitor if traffic is being blocked after you turn it on.
**Topics**
+ [Assess the impact of VPC BPA using Network Access Analyzer](#security-vpc-bpa-assess-impact)
+ [Monitor VPC BPA impact with flow logs](#security-vpc-bpa-fl)
+ [Track exclusion deletion with CloudTrail](#security-vpc-bpa-cloudtrail)
+ [Verify connectivity is blocked with Reachability Analyzer](#security-vpc-bpa-verify-RA)
## Assess the impact of VPC BPA using Network Access Analyzer
In this section, you'll use Network Access Analyzer to view the resources in your account that use an internet gateway *before* you enable VPC BPA and block access. Use this analysis to understand the impact of turning on VPC BPA in your account and blocking traffic.
**Note**
Network Access Analyzer does not support IPv6; so you will not be able to use it to view the potential impact of VPC BPA on egress-only internet gateway outbound IPv6 traffic.
You are charged for the analyses you perform with Network Access Analyzer. For more information, see [Pricing](https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/what-is-network-access-analyzer.html#pricing) in the *Network Access Analyzer Guide*.
For information about the regional availability of Network Access Analyzer, see [Limitations](https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/how-network-access-analyzer-works.html#analyzer-limitations) in the *Network Access Analyzer Guide*.
------
#### [ AWS Management Console ]
1. Open the AWS Network Insights console at [https://console.aws.amazon.com/networkinsights/](https://console.aws.amazon.com/networkinsights/).
1. Choose **Network Access Analyzer**.
1. Choose **Create Network Access Scope**.
1. Choose **Assess impact of VPC Block Public Access** and choose **Next**.
1. The template is already configured to analyze traffic to and from the internet gateways in your account. You can view this under **Source** and **Destination**.
1. Choose **Next**.
1. Choose **Create Network Access Scope**.
1. Choose the scope you just created and choose **Analyze**.
1. Wait for the analysis to complete.
1. View the findings of the analysis. Each row under **Findings** shows a network path that a packet can take in a network to or from an internet gateway in your account. In this case, if you turn on VPC BPA and none of the VPCs and or subnets that appear in these findings are configured as VPC BPA exclusions, traffic to those VPCs and subnets will be restricted.
1. Analyze each finding to understand the impact of VPC BPA on resources in your VPCs.
The impact analysis is complete.
------
#### [ AWS CLI ]
1. Create a network access scope:
```
aws ec2 create-network-insights-access-scope --region us-east-2 --match-paths "Source={ResourceStatement={ResourceTypes=["AWS::EC2::InternetGateway"]}}" "Destination={ResourceStatement={ResourceTypes=["AWS::EC2::InternetGateway"]}}"
```
1. Start the scope analysis:
```
aws ec2 start-network-insights-access-scope-analysis --region us-east-2 --network-insights-access-scope-id nis-id
```
1. Get the results of the analysis:
```
aws ec2 get-network-insights-access-scope-analysis-findings --region us-east-2 --network-insights-access-scope-analysis-id nisa-0aa383a1938f94cd1 --max-items 1
```
The results show the traffic to and from the internet gateways in all the VPCs in your account. The results are organized as "findings". "FindingId": "AnalysisFinding-1" indicates that this is the first finding in the analysis. Note that there are multiple findings and each indicates a traffic flow that will be impacted by turning on VPC BPA. The first finding will show that traffic started at an internet gateway ("SequenceNumber": 1), passed to an NACL ("SequenceNumber": 2) to a security group ("SequenceNumber": 3) and ended at an instance ("SequenceNumber": 4).
1. Analyze the findings to understand the impact of VPC BPA on resources in your VPCs.
The impact analysis is complete.
------
## Monitor VPC BPA impact with flow logs
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from Elastic network interfaces in your VPC. You can use this feature to monitor traffic that is blocked by VPC BPA from reaching your instance network interfaces.
Create a flow log for your VPC using the steps in [Work with flow logs](working-with-flow-logs.md).
When you create the flow log, make sure you use a custom format that includes the field `reject-reason`.
When you view the flow logs, if traffic to an ENI is rejected due to VPC BPA, you'll see a `reject-reason` of `BPA` in the flow log entry.
In addition to the standard [limitations](flow-logs-limitations.md) for VPC flow logs, note the following limitations specific to VPC BPA:
+ Flow logs for VPC BPA do not include [skipped records](flow-logs-records-examples.md#flow-log-example-no-data).
+ Flow logs for VPC BPA do not include [`bytes`](flow-log-records.md#flow-logs-fields) even if you include the `bytes` field in your flow log.
## Track exclusion deletion with CloudTrail
This section explains how you can use AWS CloudTrail to monitor and track the deletion of VPC BPA exclusions.
------
#### [ AWS Management Console ]
You can view any deleted exclusions in the **CloudTrail Event history** by looking up **Resource type** > `AWS::EC2::VPCBlockPublicAccessExclusion` in the AWS CloudTrail console at [https://console.aws.amazon.com/cloudtrailv2/](https://console.aws.amazon.com/cloudtrailv2/).
------
#### [ AWS CLI ]
You can use the `lookup-events` command to view the events related to deleting exclusions:
```
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::EC2::VPCBlockPublicAccessExclusion
```
------
## Verify connectivity is blocked with Reachability Analyzer
[VPC Reachability Analyzer](https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html) can be used to evaluate whether or not certain network paths can be reached given your network configuration, including VPC BPA settings.
For information about the regional availability of Reachability Analyzer, see [Considerations](https://docs.aws.amazon.com/vpc/latest/reachability/how-reachability-analyzer-works.html#considerations) in the *Reachability Analyzer Guide*.
------
#### [ AWS Management Console ]
1. Open the AWS Network Insights console at [https://console.aws.amazon.com/networkinsights/home#ReachabilityAnalyzer](https://console.aws.amazon.com/networkinsights/home#ReachabilityAnalyzer).
1. Click **Create and analyze path**.
1. For the **Source Type**, choose **Internet Gateways** and select the internet gateway you want to block traffic from the **Source dropdown**.
1. For the **Destination Type**, choose **Instances** and select the instance you want to block traffic to from the **Destination** dropdown.
1. Click **Create and analyze path**.
1. Wait for the analysis to complete. It could take a few minutes.
1. Once complete, you should see that the **Reachability Status** is **Not reachable** and that the **Path details** shows that `VPC_BLOCK_PUBLIC_ACCESS_ENABLED `is the cause of this reachability issue.
------
#### [ AWS CLI ]
1. Create a network path using the ID of the Internet Gateway you want to block traffic from (source) and the ID of the instance you want to block traffic to (destination):
```
aws ec2 --region us-east-2 create-network-insights-path --source igw-id --destination instance-id --protocol TCP
```
1. Start an analysis on the network path:
```
aws ec2 --region us-east-2 start-network-insights-analysis --network-insights-path-id nip-id
```
1. Retrieve the results of the analysis:
```
aws ec2 --region us-east-2 describe-network-insights-analyses --network-insights-analysis-ids nia-id
```
1. Verify that `VPC_BLOCK_PUBLIC_ACCESS_ENABLED` is the `ExplanationCode` for the lack of reachability.
------
# Advanced example
This section contains an advanced example that will help you understand how VPC Block Public Access feature works in different scenarios. Each scenario builds off the scenario before it, so it's important to complete the steps in order.
**Important**
Do not go through this example in a production account. We strongly recommend that you thoroughly review the workloads that require Internet access prior to enabling VPC BPA in your production accounts.
**Note**
To fully understand the VPC BPA feature, you'll need certain resources in your account. In this section, we provide an CloudFormation template that you can use to provision the resources you need to fully understand how this feature works. There are costs associated with the resources you provision with the CloudFormation template and the analyses you perform with Network Access Analyzer and Reachability Analyzer. If you use the template in this section, ensure that you complete the Cleanup steps when you're done with this example.
**Topics**
+ [Deploy CloudFormation template (optional)](#security-vpc-bpa-example-deploy-cfn)
+ [View the impact of VPC BPA with Network Access Analyzer](#vpc-bpa-naa)
+ [Scenario 1 - Connect to instances without VPC BPA turned on](#vpc-bpa-scenario-1-connect-scen1)
+ [Scenario 2 - Turn on VPC BPA in Bidirectional mode](#vpc-bpa-scenario-1-connect-scen2)
+ [Scenario 3 - Change VPC BPA to Ingress-only mode](#vpc-bpa-scenario-3)
+ [Scenario 4 - Create an exclusion](#vpc-bpa-scenario-4)
+ [Scenario 5 - Modify exclusion mode](#vpc-bpa-scenario-5)
+ [Scenario 6 - Modify VPC BPA mode](#vpc-bpa-scenario-6)
+ [Cleanup](#vpc-bpa-scenario-cleanup)
## Deploy CloudFormation template (optional)
To demonstrate how this feature works, you need a VPC, subnets, instances, and other resources. To make it easier to complete this demonstration, we’ve provided an CloudFormation template below that you can use to quickly spin up the resources required for the scenarios in this demo. This step is optional and you may want to just view the diagrams in the Scenarios in this section.
**Note**
There are costs associated with the resources you create in this section with the CloudFormation template, such as the cost of the NAT gateway and public IPv4 addresses. To avoid excess costs, ensure that you complete the Cleanup steps to remove all resources created for the purpose of this example.
This CloudFormation template creates the underlying resources needed for VPC BPA but does not enable the VPC BPA feature itself. The resources deployed here are intended to help you understand and test VPC BPA functionality once you choose to enable it separately.
The template creates the following resources in your account:
+ Egress-only internet gateway
+ Internet gateway
+ NAT gateway
+ Two public subnets
+ One private subnet
+ Two EC2 instances with public and private IPv4 addresses
+ One EC2 instance with an IPv6 address and a private IPv4 address
+ One EC2 instance with a private IPv4 address only
+ Security group with SSH and ICMP inbound traffic allowed and ALL outbound traffic allowed
+ VPC flow log
+ One EC2 Instance Connect endpoint in Subnet B
Copy the template below and save it to a .yaml file.
```
AWSTemplateFormatVersion: '2010-09-09'
Description: Creates a VPC with public and private subnets, NAT gateway, and EC2 instances for VPC BPA.
Parameters:
InstanceAMI:
Description: ID of the Amazone Machine Image (AMI) to use with the instances launched by this template
Type: AWS::EC2::Image::Id
InstanceType:
Description: EC2 Instance type to use with the instances launched by this template
Type: String
Default: t2.micro
Resources:
# VPC
VPCBPA:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: Name
Value: VPC BPA
# VPC IPv6 CIDR
VPCBPAIpv6CidrBlock:
Type: AWS::EC2::VPCCidrBlock
Properties:
VpcId: !Ref VPCBPA
AmazonProvidedIpv6CidrBlock: true
# EC2 Key Pair
VPCBPAKeyPair:
Type: AWS::EC2::KeyPair
Properties:
KeyName: vpc-bpa-key
# Internet Gateway
VPCBPAInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: VPC BPA Internet Gateway
VPCBPAInternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPCBPA
InternetGatewayId: !Ref VPCBPAInternetGateway
# Egress-Only Internet Gateway
VPCBPAEgressOnlyInternetGateway:
Type: AWS::EC2::EgressOnlyInternetGateway
Properties:
VpcId: !Ref VPCBPA
# Subnets
VPCBPAPublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPCBPA
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: VPC BPA Public Subnet A
VPCBPAPublicSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPCBPA
CidrBlock: 10.0.2.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: VPC BPA Public Subnet B
VPCBPAPrivateSubnetC:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPCBPA
CidrBlock: 10.0.3.0/24
MapPublicIpOnLaunch: false
Ipv6CidrBlock: !Select [0, !GetAtt VPCBPA.Ipv6CidrBlocks]
AssignIpv6AddressOnCreation: true
Tags:
- Key: Name
Value: VPC BPA Private Subnet C
# NAT Gateway
VPCBPANATGateway:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt VPCBPANATGatewayEIP.AllocationId
SubnetId: !Ref VPCBPAPublicSubnetB
Tags:
- Key: Name
Value: VPC BPA NAT Gateway
VPCBPANATGatewayEIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
Tags:
- Key: Name
Value: VPC BPA NAT Gateway EIP
# Route Tables
VPCBPAPublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPCBPA
Tags:
- Key: Name
Value: VPC BPA Public Route Table
VPCBPAPublicRoute:
Type: AWS::EC2::Route
DependsOn: VPCBPAInternetGatewayAttachment
Properties:
RouteTableId: !Ref VPCBPAPublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref VPCBPAInternetGateway
VPCBPAPublicSubnetARouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref VPCBPAPublicSubnetA
RouteTableId: !Ref VPCBPAPublicRouteTable
VPCBPAPublicSubnetBRouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref VPCBPAPublicSubnetB
RouteTableId: !Ref VPCBPAPublicRouteTable
VPCBPAPrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPCBPA
Tags:
- Key: Name
Value: VPC BPA Private Route Table
VPCBPAPrivateRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref VPCBPAPrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref VPCBPANATGateway
VPCBPAPrivateSubnetCRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref VPCBPAPrivateRouteTable
DestinationIpv6CidrBlock: ::/0
EgressOnlyInternetGatewayId: !Ref VPCBPAEgressOnlyInternetGateway
VPCBPAPrivateSubnetCRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref VPCBPAPrivateSubnetC
RouteTableId: !Ref VPCBPAPrivateRouteTable
# EC2 Instances Security Group
VPCBPAInstancesSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: VPC BPA Instances Security Group
GroupDescription: Allow SSH and ICMP access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
VpcId: !Ref VPCBPA
Tags:
- Key: Name
Value: VPC BPA Instances Security Group
# EC2 Instances
VPCBPAInstanceA:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref InstanceAMI
InstanceType: t2.micro
KeyName: !Ref VPCBPAKeyPair
SubnetId: !Ref VPCBPAPublicSubnetA
SecurityGroupIds:
- !Ref VPCBPAInstancesSecurityGroup
Tags:
- Key: Name
Value: VPC BPA Instance A
VPCBPAInstanceB:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref InstanceAMI
InstanceType: !Ref InstanceType
KeyName: !Ref VPCBPAKeyPair
SubnetId: !Ref VPCBPAPublicSubnetB
SecurityGroupIds:
- !Ref VPCBPAInstancesSecurityGroup
Tags:
- Key: Name
Value: VPC BPA Instance B
VPCBPAInstanceC:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref InstanceAMI
InstanceType: !Ref InstanceType
KeyName: !Ref VPCBPAKeyPair
SubnetId: !Ref VPCBPAPrivateSubnetC
SecurityGroupIds:
- !Ref VPCBPAInstancesSecurityGroup
Tags:
- Key: Name
Value: VPC BPA Instance C
VPCBPAInstanceD:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref InstanceAMI
InstanceType: !Ref InstanceType
KeyName: !Ref VPCBPAKeyPair
NetworkInterfaces:
- DeviceIndex: '0'
GroupSet:
- !Ref VPCBPAInstancesSecurityGroup
SubnetId: !Ref VPCBPAPrivateSubnetC
Ipv6AddressCount: 1
Tags:
- Key: Name
Value: VPC BPA Instance D
# Flow Logs IAM Role
VPCBPAFlowLogRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: vpc-flow-logs.amazonaws.com
Action: 'sts:AssumeRole'
Tags:
- Key: Name
Value: VPC BPA Flow Logs Role
VPCBPAFlowLogPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: VPC-BPA-FlowLogsPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
Resource: '*'
Roles:
- !Ref VPCBPAFlowLogRole
# Flow Logs
VPCBPAFlowLog:
Type: AWS::EC2::FlowLog
Properties:
ResourceId: !Ref VPCBPA
ResourceType: VPC
TrafficType: ALL
LogDestinationType: cloud-watch-logs
LogGroupName: /aws/vpc-flow-logs/VPC-BPA
DeliverLogsPermissionArn: !GetAtt VPCBPAFlowLogRole.Arn
LogFormat: '${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${vpc-id} ${subnet-id} ${instance-id} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr} ${region} ${az-id} ${sublocation-type} ${sublocation-id} ${pkt-src-aws-service} ${pkt-dst-aws-service} ${flow-direction} ${traffic-path} ${reject-reason}'
Tags:
- Key: Name
Value: VPC BPA Flow Logs
# EC2 Instance Connect Endpoint
VPCBPAEC2InstanceConnectEndpoint:
Type: AWS::EC2::InstanceConnectEndpoint
Properties:
SecurityGroupIds:
- !Ref VPCBPAInstancesSecurityGroup
SubnetId: !Ref VPCBPAPublicSubnetB
Outputs:
VPCBPAVPCId:
Description: A reference to the created VPC
Value: !Ref VPCBPA
Export:
Name: vpc-id
VPCBPAPublicSubnetAId:
Description: The ID of the public subnet A
Value: !Ref VPCBPAPublicSubnetA
VPCBPAPublicSubnetAName:
Description: The name of the public subnet A
Value: VPC BPA Public Subnet A
VPCBPAPublicSubnetBId:
Description: The ID of the public subnet B
Value: !Ref VPCBPAPublicSubnetB
VPCBPAPublicSubnetBName:
Description: The name of the public subnet B
Value: VPC BPA Public Subnet B
VPCBPAPrivateSubnetCId:
Description: The ID of the private subnet C
Value: !Ref VPCBPAPrivateSubnetC
VPCBPAPrivateSubnetCName:
Description: The name of the private subnet C
Value: VPC BPA Private Subnet C
VPCBPAInstanceAId:
Description: The ID of instance A
Value: !Ref VPCBPAInstanceA
VPCBPAInstanceBId:
Description: The ID of instance B
Value: !Ref VPCBPAInstanceB
VPCBPAInstanceCId:
Description: The ID of instance C
Value: !Ref VPCBPAInstanceC
VPCBPAInstanceDId:
Description: The ID of instance D
Value: !Ref VPCBPAInstanceD
```
------
#### [ AWS Management Console ]
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation/](https://console.aws.amazon.com/cloudformation/).
1. Choose **Create stack** and upload the .yaml template file.
1. Go through the steps to launch the template. You'll need to enter an [image ID](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html) and an [instance type](https://aws.amazon.com/ec2/instance-types/) (like t2.micro). You'll also need to allow CloudFormation to create an IAM role for you for the flow log creation and permission to log to CloudWatch.
1. Once you launch the stack, view the **Events** tab to view progress and ensure that the stack completes before you continue.
------
#### [ AWS CLI ]
1. Run the following command to create the CloudFormation stack:
```
aws cloudformation create-stack --stack-name VPC-BPA-stack --template-body file://sampletemplate.yaml --capabilities CAPABILITY_IAM --region us-east-2
```
Output:
```
{
"StackId": "arn:aws:cloudformation:us-east-2:470889052923:stack/VPC-BPA-stack/8a7a2cc0-8001-11ef-b196-06386a84b72f"
}
```
1. View the progress and ensure that the stack completes before you continue:
```
aws cloudformation describe-stack-events --stack-name VPC-BPA-stack --region us-east-2
```
------
## View the impact of VPC BPA with Network Access Analyzer
In this section, you'll use Network Access Analyzer to view the resources in your account that use the internet gateway. Use this analysis to understand the impact of turning on VPC BPA in your account and blocking traffic.
For information about the regional availability of Network Access Analyzer, see [Limitations](https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/how-network-access-analyzer-works.html#analyzer-limitations) in the *Network Access Analyzer Guide*.
------
#### [ AWS Management Console ]
1. Open the AWS Network Insights console at [https://console.aws.amazon.com/networkinsights/](https://console.aws.amazon.com/networkinsights/).
1. Choose **Network Access Analyzer**.
1. Choose **Create Network Access Scope**.
1. Choose **Assess impact of VPC Block Public Access** and choose **Next**.
1. The template is already configured to analyze traffic to and from the internet gateways in your account. You can view this under **Source** and **Destination**.
1. Choose **Next**.
1. Choose **Create Network Access Scope**.
1. Choose the scope you just created and choose **Analyze**.
1. Wait for the analysis to complete.
1. View the findings of the analysis. Each row under **Findings** shows a network path that a packet can take in a network to or from an internet gateway in your account. In this case, if you turn on VPC BPA and none of the VPCs and or subnets that appear in these findings are configured as VPC BPA exclusions, traffic to those VPCs and subnets will be restricted.
1. Analyze each finding to understand the impact of VPC BPA on resources in your VPCs.
The impact analysis is complete.
------
#### [ AWS CLI ]
1. Create a network access scope:
```
aws ec2 create-network-insights-access-scope --match-paths "Source={ResourceStatement={ResourceTypes=["AWS::EC2::InternetGateway"]}}" "Destination={ResourceStatement={ResourceTypes=["AWS::EC2::InternetGateway"]}}" --region us-east-2
```
Output:
```
{
"NetworkInsightsAccessScope": {
"NetworkInsightsAccessScopeId": "nis-04cad3c4b3a1d5e3e",
"NetworkInsightsAccessScopeArn": "arn:aws:ec2:us-east-2:470889052923:network-insights-access-scope/nis-04cad3c4b3a1d5e3e",
"CreatedDate": "2024-09-30T15:55:53.171000+00:00",
"UpdatedDate": "2024-09-30T15:55:53.171000+00:00"
},
"NetworkInsightsAccessScopeContent": {
"NetworkInsightsAccessScopeId": "nis-04cad3c4b3a1d5e3e",
"MatchPaths": [
{
"Source": {
"ResourceStatement": {
"ResourceTypes": [
"AWS::EC2::InternetGateway"
]
}
}
},
{
"Destination": {
"ResourceStatement": {
"ResourceTypes": [
"AWS::EC2::InternetGateway"
]
}
}
}
]
}
}
```
1. Start the scope analysis:
```
aws ec2 start-network-insights-access-scope-analysis --network-insights-access-scope-id nis-04cad3c4b3a1d5e3e --region us-east-2
```
Output:
```
{
"NetworkInsightsAccessScopeAnalysis": {
"NetworkInsightsAccessScopeAnalysisId": "nisa-0aa383a1938f94cd1",
"NetworkInsightsAccessScopeAnalysisArn": "arn:aws:ec2:us-east-2:470889052923:network-insights-access-scope-analysis/nisa-0aa383a1938f94cd",
"NetworkInsightsAccessScopeId": "nis-04cad3c4b3a1d5e3e",
"Status": "running",
"StartDate": "2024-09-30T15:56:59.109000+00:00",
"AnalyzedEniCount": 0
}
}
```
1. Get the results of the analysis:
```
aws ec2 get-network-insights-access-scope-analysis-findings --network-insights-access-scope-analysis-id nisa-0aa383a1938f94cd1 --region us-east-2 --max-items 1
```
Output:
```
{
"AnalysisFindings": [
{
"NetworkInsightsAccessScopeAnalysisId": "nisa-0aa383a1938f94cd1",
"NetworkInsightsAccessScopeId": "nis-04cad3c4b3a1d5e3e",
"FindingId": "AnalysisFinding-1",
"FindingComponents": [
{
"SequenceNumber": 1,
"Component": {
"Id": "igw-04a5344b4e30486f1",
"Arn": "arn:aws:ec2:us-east-2:470889052923:internet-gateway/igw-04a5344b4e30486f1",
"Name": "VPC BPA Internet Gateway"
},
"OutboundHeader": {
"DestinationAddresses": [
"10.0.1.85/32"
]
},
"InboundHeader": {
"DestinationAddresses": [
"10.0.1.85/32"
],
"DestinationPortRanges": [
{
"From": 22,
"To": 22
}
],
"Protocol": "6",
"SourceAddresses": [
"0.0.0.0/5",
"100.0.0.0/10",
"96.0.0.0/6"
],
"SourcePortRanges": [
{
"From": 0,
"To": 65535
}
]
},
"Vpc": {
"Id": "vpc-0762547ec48b6888d",
"Arn": "arn:aws:ec2:us-east-2:470889052923:vpc/vpc-0762547ec48b6888d",
"Name": "VPC BPA"
}
},
{
"SequenceNumber": 2,
"AclRule": {
"Cidr": "0.0.0.0/0",
"Egress": false,
"Protocol": "all",
"RuleAction": "allow",
"RuleNumber": 100
},
"Component": {
"Id": "acl-06194fc3a4a03040b",
"Arn": "arn:aws:ec2:us-east-2:470889052923:network-acl/acl-06194fc3a4a03040b"
}
},
{
"SequenceNumber": 3,
"Component": {
"Id": "sg-093dde06415d03924",
"Arn": "arn:aws:ec2:us-east-2:470889052923:security-group/sg-093dde06415d03924",
"Name": "VPC BPA Instances Security Group"
},
"SecurityGroupRule": {
"Cidr": "0.0.0.0/0",
"Direction": "ingress",
"PortRange": {
"From": 22,
"To": 22
},
"Protocol": "tcp"
}
},
{
"SequenceNumber": 4,
"AttachedTo": {
"Id": "i-058db34f9a0997895",
"Arn": "arn:aws:ec2:us-east-2:470889052923:instance/i-058db34f9a0997895",
"Name": "VPC BPA Instance A"
},
"Component": {
"Id": "eni-0fa23f2766f03b286",
"Arn": "arn:aws:ec2:us-east-2:470889052923:network-interface/eni-0fa23f2766f03b286"
},
"InboundHeader": {
"DestinationAddresses": [
"10.0.1.85/32"
],
"DestinationPortRanges": [
{
"From": 22,
"To": 22
}
],
"Protocol": "6",
"SourceAddresses": [
"0.0.0.0/5",
"100.0.0.0/10",
"96.0.0.0/6"
],
"SourcePortRanges": [
{
"From": 0,
"To": 65535
}
]
},
"Subnet": {
"Id": "subnet-035d235a762eeed04",
"Arn": "arn:aws:ec2:us-east-2:470889052923:subnet/subnet-035d235a762eeed04",
"Name": "VPC BPA Public Subnet A"
},
"Vpc": {
"Id": "vpc-0762547ec48b6888d",
"Arn": "arn:aws:ec2:us-east-2:470889052923:vpc/vpc-0762547ec48b6888d",
"Name": "VPC BPA"
}
}
]
}
],
"AnalysisStatus": "succeeded",
"NetworkInsightsAccessScopeAnalysisId": "nisa-0aa383a1938f94cd1",
"NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAxfQ=="
}
```
The results show the traffic to and from the internet gateways in all the VPCs in your account. The results are organized as "findings". "FindingId": "AnalysisFinding-1" indicates that this is the first finding in the analysis. Note that there are multiple findings and each indicates a traffic flow that will be impacted by turning on VPC BPA. The first finding will show that traffic started at an internet gateway ("SequenceNumber": 1), passed to an NACL ("SequenceNumber": 2) to a security group ("SequenceNumber": 3) and ended at an instance ("SequenceNumber": 4).
1. Analyze the findings to understand the impact of VPC BPA on resources in your VPCs.
The impact analysis is complete.
------
## Scenario 1 - Connect to instances without VPC BPA turned on
In this section, EC2 instances in public subnets A and B are reachable from the internet through the internet gateway, which allows both inbound and outbound traffic. Instances C and D in the private subnet can initiate outbound traffic through the NAT gateway or egress-only internet gateway, but are not directly reachable from the internet. This setup provides internet access to some resources while protecting others. The purpose of this setup is to set a baseline and ensure that, before you enable VPC BPA, all instances can be reached, you'll connect to all instances and ping a public IP address.
Diagram of a VPC without VPC BPA turned on:
![\[Diagram showing a VPC without VPC BPA enabled.\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-bpa-1.png)
### 1.1 Connect to instances
Complete this section to connect to your instances with VPC BPA turned off to ensure you can connect without issue. All of the instances created with the CloudFormation for this example have names like, "VPC BPA Instance A".
------
#### [ AWS Management Console ]
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. Open the Instance A details.
1. Connect to instance A using the **EC2 Instance Connect** > **Connect using EC2 Instance Connect Endpoint** option.
1. Choose **Connect**. Once you successfully connect to the instance, ping www.amazon.com to verify you can send outbound requests to the internet.
1. Use the same method you used to connect to instance A to connect to instances B, C, and D. From each instance, ping www.amazon.com to verify you can send outbound requests to the internet.
------
#### [ AWS CLI ]
1. Ping Instance A using the public IPv4 address to check inbound traffic:
```
ping 18.225.8.244
```
Output:
```
Pinging 18.225.8.244 with 32 bytes of data:
Reply from 18.225.8.244: bytes=32 time=51ms TTL=110
Reply from 18.225.8.244: bytes=32 time=61ms TTL=110
```
Note that the ping is successful and traffic is not blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-058db34f9a0997895 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~_ ####_ Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
/ /
/m/'
Last login: Fri Sep 27 18:27:57 2024 from 3.16.146.5
[ec2-user@ip-10-0-1-85 ~]$ ping www.amazon.com
PING www-amazon-com.customer.fastly.net (18.65.233.187) 56(84) bytes of data.
64 bytes from 18.65.233.187 (18.65.233.187): icmp_seq=15 ttl=58 time=2.06 ms
64 bytes from 18.65.233.187 (18.65.233.187): icmp_seq=16 ttl=58 time=2.26 ms
```
Note that the ping is successful and traffic is not blocked.
1. Ping Instance B using the public IPv4 address to check inbound traffic:
```
ping 3.18.106.198
```
Output:
```
Pinging 3.18.106.198 with 32 bytes of data:
Reply from 3.18.106.198: bytes=32 time=83ms TTL=110
Reply from 3.18.106.198: bytes=32 time=54ms TTL=110
```
Note that the ping is successful and traffic is not blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-08552a0774b5c8f72 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available.
Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, # ~_ #### Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~.. _/
/ /
/m/'
Last login: Fri Sep 27 18:12:27 2024 from 3.16.146.5
[ec2-user@ip-10-0-2-98 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=1 ttl=249 time=1.55 ms
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=2 ttl=249 time=1.67 ms
```
Note that the ping is successful and traffic is not blocked.
1. Connect to Instance C. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-04eca55f2a482b2c4 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available.
Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, # ~_ #### Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~.. _/
/ /
/m/'
Last login: Thu Sep 19 20:31:26 2024 from 10.0.2.86
[ec2-user@ip-10-0-3-180 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=1 ttl=248 time=1.75 ms
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=2 ttl=248 time=1.97 ms
64 bytes from server-3-160-24-26.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=3 ttl=248 time=1.08 ms
```
Note that the ping is successful and traffic is not blocked.
1. Connect to Instance D. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-05f9e6a9cfac1dba0 --region us-east-2 --connection-type eice
```
Output:
```
The authenticity of host '10.0.3.59 can't be established.
ECDSA key fingerprint is SHA256:c4naBCqbC61/cExDyccEproNU+1HHSpMSzl2J6cOtIZA8g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.3.59' (ECDSA) to the list of known hosts.
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, # ~_ #### Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~.. _/
_/ _/
_/m/'
[ec2-user@ip-10-0-3-59 ~]$ ping www.amazon.com
PING www.amazon.com(2600:9000:25f3:ee00:7:49a5:5fd4:b121 (2600:9000:25f3:ee00:7:49a5:5fd4:b121)) 56 data bytes
64 bytes from 2600:9000:25f3:ee00:7:49a5:5fd4:b121 (2600:9000:25f3:ee00:7:49a5:5fd4:b121): icmp_seq=1 ttl=58 time=1.19 ms
64 bytes from 2600:9000:25f3:ee00:7:49a5:5fd4:b121 (2600:9000:25f3:ee00:7:49a5:5fd4:b121): icmp_seq=2 ttl=58 time=1.38 ms
```
Note that the ping is successful and traffic is not blocked.
------
## Scenario 2 - Turn on VPC BPA in Bidirectional mode
In this section you'll turn on VPC BPA and block traffic to and from the internet gateways in your account.
Diagram showing VPC BPA Bidirectional mode turned on:
![\[Diagram showing VPC with VPC BPA bidirectional enabled.\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-bpa-2.png)
### 2.1 Enable VPC BPA bidirectional mode
Complete this section to enable VPC BPA. VPC BPA bidirectional mode blocks all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets).
------
#### [ AWS Management Console ]
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. On the left navigation pane, choose **Settings**.
1. Choose **Edit public access settings**.
1. Choose **Turn on block public access** and **Bidirectional**, then choose **Save changes**.
1. Wait for the **Status** to change to **On**. It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
VPC BPA is now on.
------
#### [ AWS CLI ]
1. Use the modify-vpc-block-public-access-options command to turn on VPC BPA:
```
aws ec2 --region us-east-2 modify-vpc-block-public-access-options --internet-gateway-block-mode block-bidirectional
```
It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
1. View the status of VPC BPA:
```
aws ec2 --region us-east-2 describe-vpc-block-public-access-options
```
------
### 2.2 Connect to instances
Complete this section to connect to your instances.
------
#### [ AWS Management Console ]
1. Ping the public IPv4 address of Instance A and Instance B as you did in Scenario 1. Note that traffic is blocked.
1. Connect to instance A using the **EC2 Instance Connect** > **Connect using EC2 Instance Connect Endpoint** option as you did in Scenario 1. Make sure you use the endpoint option.
1. Choose **Connect**. Once you successfully connect to the instance, ping www.amazon.com. Note that all outbound traffic is blocked.
1. Use the same method you used to connect to instance A to connect to instances B, C, and D, test outbound requests to the internet. Note that all outbound traffic is blocked.
------
#### [ AWS CLI ]
1. Ping Instance A using the public IPv4 address to check inbound traffic:
```
ping 18.225.8.244
```
Output:
```
Pinging 18.225.8.244 with 32 bytes of data:
Request timed out.
```
Note that the ping fails and traffic is blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-058db34f9a0997895 --region us-east-2 --connection-type eice
```
Output:
```
The authenticity of host '10.0.1.85' can't be established.
ECDSA key fingerprint is SHA256:3zo/gSss+HAZ+7eTyWlOB/Ke04IM+hadjsoLJeRTWBk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.1.85' (ECDSA) to the list of known hosts.
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~_ ####_ Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
/ /
/m/'
Last login: Fri Sep 27 14:16:53 2024 from 3.16.146.5
[ec2-user@ip-10-0-1-85 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Ping Instance B using the public IPv4 address to check inbound traffic:
```
ping 3.18.106.198
```
Output:
```
Pinging 3.18.106.198 with 32 bytes of data:
Request timed out.
```
Note that the ping fails and traffic is blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-08552a0774b5c8f72 --region us-east-2 --connection-type eice
```
Output:
```
The authenticity of host '10.0.2.98' can't be established.
ECDSA key fingerprint is SHA256:0IjXKKyVlDthcCfI0IPIJMUiItAOLYKRNLGTYURnFXo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.98' (ECDSA) to the list of known hosts.
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, # ~_ #### Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~.. _/
/ /
/m/'
Last login: Fri Sep 27 14:18:16 2024 from 3.16.146.5
[ec2-user@ip-10-0-2-98 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Connect to Instance C. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-04eca55f2a482b2c4 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, # ~_ #### Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~.. _/
/ /
/m/'
Last login: Tue Sep 24 15:17:56 2024 from 10.0.2.86
[ec2-user@ip-10-0-3-180 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Connect to Instance D. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-05f9e6a9cfac1dba0 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, # ~_ #### Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~.. _/
_/ _/
_/m/'
Last login: Fri Sep 27 16:42:01 2024 from 3.16.146.5
[ec2-user@ip-10-0-3-59 ~]$ ping www.amazon.com
PING www.amazon.com(2600:9000:25f3:8200:7:49a5:5fd4:b121 (2600:9000:25f3:8200:7:49a5:5fd4:b121)) 56 data bytes
```
Note that the ping fails and traffic is blocked.
------
### 2.3 Optional: Verify connectivity is blocked with Reachability Analyzer
[VPC Reachability Analyzer](https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html) can be used to understand whether or not certain network paths can be reached given your network configuration, including VPC BPA settings. In this example you will analyze the same network path that was attempted earlier to confirm that VPC BPA is the reason why connectivity is failing.
------
#### [ AWS Management Console ]
1. Go to the Network Insights console at [https://console.aws.amazon.com/networkinsights/home#ReachabilityAnalyzer](https://console.aws.amazon.com/networkinsights/home#ReachabilityAnalyzer).
1. Click **Create and analyze path**.
1. For the **Source Type**, choose **Internet Gateways** and select the internet gateway tagged **VPC BPA Internet Gateway** from the **Source** dropdown.
1. For the **Destination Type**, choose **Instances** and select the instance tagged with **VPC BPA Instance A** from the **Destination** dropdown.
1. Click **Create and analyze path**.
1. Wait for the analysis to complete. It could take a few minutes.
1. Once complete, you should see that the **Reachability Status**is **Not reachable** and that the **Path details** shows that `VPC_BLOCK_PUBLIC_ACCESS_ENABLED` is the cause.
------
#### [ AWS CLI ]
1. Create a network path using the ID of the internet gateway tagged VPC BPA Internet Gateway and the ID of the instance tagged VPC BPA Instance A:
```
aws ec2 --region us-east-2 create-network-insights-path --source igw-id --destination instance-id --protocol TCP
```
1. Start an analysis on the network path:
```
aws ec2 --region us-east-2 start-network-insights-analysis --network-insights-path-id nip-id
```
1. Retrieve the results of the analysis:
```
aws ec2 --region us-east-2 describe-network-insights-analyses --network-insights-analysis-ids nia-id
```
1. Verify that `VPC_BLOCK_PUBLIC_ACCESS_ENABLED` is the `ExplanationCode` for the lack of reachability.
------
Note that you can also [Monitor VPC BPA impact with flow logs](security-vpc-bpa-assess-impact-main.md#security-vpc-bpa-fl).
## Scenario 3 - Change VPC BPA to Ingress-only mode
In this section you'll change the VPC BPA traffic direction and allow only traffic that uses a NAT gateway or egress-only internet gateway. EC2 instances A and B in the public subnets will be unreachable from the internet because BPA blocks inbound traffic through the Internet Gateway. Instances C and D in the private subnet will remain able to initiate outbound traffic through the NAT gateway and egress-only internet gateway, and therefore can still reach the internet.
Diagram of VPC BPA Ingress-only mode turned on:
![\[Diagram showing VPC with VPC BPA ingress-only enabled.\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-bpa-3.png)
### 3.1 Change mode to ingress-only
Complete this section to change the mode.
------
#### [ AWS Management Console ]
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. On the left navigation pane, choose **Settings**.
1. In the **Block public access** tab, choose **Edit public access settings**.
1. Modify the public access settings in the VPC console and change the direction to **Ingress-only**.
1. Save the changes and wait for the status to be updated. It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
------
#### [ AWS CLI ]
1. Modify the VPC BPA mode:
```
aws ec2 --region us-east-2 modify-vpc-block-public-access-options --internet-gateway-block-mode block-ingress
```
It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
1. View the status of VPC BPA:
```
aws ec2 --region us-east-2 describe-vpc-block-public-access-options
```
------
### 3.2 Connect to instances
Complete this section to connect to the instances.
------
#### [ AWS Management Console ]
1. Ping the public IPv4 address of Instance A and Instance B as you did in Scenario 1. Note that traffic is blocked.
1. Connect to Instance A and B using EC2 instance connect as you did in Scenario 1 and ping www.amazon.com from them. Note that you cannot ping a public site on the internet from Instance A or B and traffic is blocked.
1. Connect to Instance C and D using EC2 instance connect as you did in Scenario 1 and ping www.amazon.com from them. Note that you can ping a public site on the internet from Instance C or D and traffic is allowed.
------
#### [ AWS CLI ]
1. Ping Instance A using the public IPv4 address to check inbound traffic:
```
ping 18.225.8.244
```
Output:
```
Pinging 18.225.8.244 with 32 bytes of data:
Request timed out.
```
Note that the ping fails and traffic is blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-058db34f9a0997895 --region us-east-2 --connection-type eice
```
Output:
```
The authenticity of host '10.0.1.85' can't be established.
ECDSA key fingerprint is SHA256:3zo/gSss+HAZ+7eTyWlOB/Ke04IM+hadjsoLJeRTWBk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.1.85' (ECDSA) to the list of known hosts.
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~_ ####_ Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
/ /
/m/'
Last login: Fri Sep 27 14:16:53 2024 from 3.16.146.5
[ec2-user@ip-10-0-1-85 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Ping Instance B using the public IPv4 address to check inbound traffic:
```
ping 3.18.106.198
```
Output:
```
Pinging 3.18.106.198 with 32 bytes of data:
Request timed out.
```
Note that the ping fails and traffic is blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-08552a0774b5c8f72 --region us-east-2 --connection-type eice
```
Output:
```
The authenticity of host '10.0.2.98 ' can't be established.
ECDSA key fingerprint is SHA256:0IjXKKyVlDthcCfI0IPIJMUiItAOLYKRNLGTYURnFXo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.98' (ECDSA) to the list of known hosts.
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, # ~_ #### Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~.. _/
_/ /
/m/'
Last login: Fri Sep 27 14:18:16 2024 from 3.16.146.5
[ec2-user@ip-10-0-2-98 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Connect to Instance C. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-04eca55f2a482b2c4 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Tue Sep 24 15:28:09 2024 from 10.0.2.86
[ec2-user@ip-10-0-3-180 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=1 ttl=248 time=1.84 ms
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=2 ttl=248 time=1.40 ms
```
Note that the ping is successful and traffic is not blocked.
1. Connect to Instance D. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-05f9e6a9cfac1dba0 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 16:48:38 2024 from 3.16.146.5
[ec2-user@ip-10-0-3-59 ~]$ ping www.amazon.com
PING www.amazon.com(2600:9000:25f3:5800:7:49a5:5fd4:b121 (2600:9000:25f3:5800:7:49a5:5fd4:b121)) 56 data bytes
64 bytes from 2600:9000:25f3:5800:7:49a5:5fd4:b121 (2600:9000:25f3:5800:7:49a5:5fd4:b121): icmp_seq=14 ttl=58 time=1.47 ms
64 bytes from 2600:9000:25f3:5800:7:49a5:5fd4:b121 (2600:9000:25f3:5800:7:49a5:5fd4:b121): icmp_seq=16 ttl=58 time=1.59 ms
```
Note that the ping is successful and traffic is not blocked.
------
## Scenario 4 - Create an exclusion
In this section, you'll create an exclusion. VPC BPA will then only block traffic on the subnets *without* an exclusion. A VPC BPA exclusion is a mode that can be applied to a single VPC or subnet that exempts it from the account’s VPC BPA mode and will allow bidirectional or egress-only access. You can create VPC BPA exclusions for VPCs and subnets even when VPC BPA is not enabled on the account to ensure that there is no traffic disruption to the exclusions when VPC BPA is turned on.
In this example, we'll create an exclusion for Subnet A to show how traffic to exclusions is impacted by VPC BPA.
Diagram of VPC BPA Ingress-only mode turned on and Subnet A exclusion with Bidirectional mode turned on:
![\[Diagram showing VPC with VPC BPA in ingress-only mode with an exclusion.\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-bpa-4.png)
### 4.1 Create an exclusion for Subnet A
Complete this section to create an exclusion. A VPC BPA exclusion is a mode that can be applied to a single VPC or subnet that exempts it from the account’s VPC BPA mode and will allow bidirectional or egress-only access. You can create VPC BPA exclusions for VPCs and subnets even when VPC BPA is not enabled on the account to ensure that there is no traffic disruption to the exclusions when VPC BPA is turned on.
------
#### [ AWS Management Console ]
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. On the left navigation pane, choose **Settings**.
1. In the **Block public access** tab, under **Exclusions**, choose **Create exclusions**.
1. Choose **VPC BPA Public Subnet A**, ensure that allow direction **Bidirectional** is selected, and choose **Create exclusions**.
1. Wait for the **Exclusion status** to change to **Active**. You may need to refresh the exclusion table to see the change.
The exclusion has been created.
------
#### [ AWS CLI ]
1. Modify the exclusion allow direction:
```
aws ec2 --region us-east-2 create-vpc-block-public-access-exclusion --subnet-id subnet-id --internet-gateway-exclusion-mode allow-bidirectional
```
1. It can take time for the exclusion status to update. To view the status of the exclusion:
```
aws ec2 --region us-east-2 describe-vpc-block-public-access-exclusions --exclusion-ids exclusion-id
```
------
### 4.2 Connect to instances
Complete this section to connect to the instances.
------
#### [ AWS Management Console ]
1. Ping the public IPv4 address of Instance A. Note that traffic is allowed.
1. Ping the public IPv4 address of Instance B. Note that traffic is blocked.
1. Connect to Instance A using EC2 instance connect as you did in Scenario 1 and ping www.amazon.com. Note that you can ping a public site on the internet from Instance A. Traffic is allowed.
1. Connect to Instance B using EC2 instance connect as you did in Scenario 1 and ping www.amazon.com from it. Note that you cannot ping a public site on the internet from Instance B. Traffic is blocked.
1. Connect to Instance C and D using EC2 instance connect as you did in Scenario 1 and ping www.amazon.com from them. Note that you can ping a public site on the internet from Instance C or D. Traffic is allowed.
------
#### [ AWS CLI ]
1. Ping Instance A using the public IPv4 address to check inbound traffic:
```
ping 18.225.8.244
```
Output:
```
Pinging 18.225.8.244 with 32 bytes of data:
Reply from 18.225.8.244: bytes=32 time=51ms TTL=110
Reply from 18.225.8.244: bytes=32 time=61ms TTL=110
```
Note that the ping is successful and traffic is not blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-058db34f9a0997895 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~_ ####_ Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
/ /
/m/'
Last login: Fri Sep 27 17:58:12 2024 from 3.16.146.5
[ec2-user@ip-10-0-1-85 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=1 ttl=249 time=1.03 ms
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=2 ttl=249 time=1.72 ms
```
Note that the ping is successful and traffic is not blocked.
1. Ping Instance B using the public IPv4 address to check inbound traffic:
```
ping 3.18.106.198
```
Output:
```
Pinging 3.18.106.198 with 32 bytes of data:
Request timed out.
```
Note that the ping fails and traffic is blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-08552a0774b5c8f72 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, # ~_ #### Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~.. _/
_/ /
/m/'
Last login: Fri Sep 27 18:12:03 2024 from 3.16.146.5
[ec2-user@ip-10-0-2-98 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Connect to Instance C. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-04eca55f2a482b2c4 --region us-east-2 --connection-type eice
```
Output
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, # ~_ #### Amazon Linux 2023
~~ _#####\ ~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~.. _/
_/ /
/m/'
Last login: Tue Sep 24 15:28:09 2024 from 10.0.2.86
[ec2-user@ip-10-0-3-180 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=1 ttl=248 time=1.84 ms
64 bytes from server-3-160-24-126.cmh68.r.cloudfront.net (18.65.233.187): icmp_seq=2 ttl=248 time=1.40 ms
```
Note that the ping is successful and traffic is not blocked.
1. Connect to Instance D. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-05f9e6a9cfac1dba0 --region us-east-2 --connection-type eice
```
Output
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 18:00:52 2024 from 3.16.146.5
[ec2-user@ip-10-0-3-59 ~]$ ping www.amazon.com
PING www.amazon.com(g2600-141f-4000-059a-0000-0000-0000-3bd4.deploy.static.akamaitechnologies.com (2600:141f:4000:59a::3bd4)) 56 data bytes
64 bytes from g2600-141f-4000-059a-0000-0000-0000-3bd4.deploy.static.akamaitechnologies.com (2600:141f:4000:59a::3bd4): icmp_seq=1 ttl=48 time=15.9 ms
64 bytes from g2600-141f-4000-059a-0000-0000-0000-3bd4.deploy.static.akamaitechnologies.com (2600:141f:4000:59a::3bd4): icmp_seq=2 ttl=48 time=15.8 ms
```
Note that the ping is successful and traffic is not blocked.
------
### 4.3 Optional: Verify connectivity with Reachability Analyzer
Using the same network path created in Reachability Analyzer in Scenario 2, you can now run a new analysis and confirm that the path is reachable now that an exclusion has been created for Public Subnet A.
For information about the regional availability of Reachability Analyzer, see [Considerations](https://docs.aws.amazon.com/vpc/latest/reachability/how-reachability-analyzer-works.html#considerations) in the *Reachability Analyzer Guide*.
------
#### [ AWS Management Console ]
1. From the Network Path you created earlier in the Network Insights console, click **Re-run analysis**.
1. Wait for the analysis to complete. It may take several minutes.
1. Confirm that the path is now **Reachable**.
------
#### [ AWS CLI ]
1. Using the network path ID created earlier, start a new analysis:
```
aws ec2 --region us-east-2 start-network-insights-analysis --network-insights-path-id nip-id
```
1. Retrieve the results of the analysis:
```
aws ec2 --region us-east-2 describe-network-insights-analyses --network-insights-analysis-ids nia-id
```
1. Confirm that the `VPC_BLOCK_PUBLIC_ACCESS_ENABLED` explanation code is no longer present.
------
## Scenario 5 - Modify exclusion mode
In this section you'll change the allow traffic direction on the exclusion to see how it impacts VPC BPA.
**Note**
In this scenario, you'll change the exclusion mode to Egress-only. Note that when you do this, the Egress-only exclusion on Subnet A doesn't allow outbound traffic, which is counterintuitive because you’d expect it to permit outbound traffic. However, since the account-level BPA is Ingress-only, Egress-only exclusions are ignored, and Subnet A’s routing to an internet gateway is restricted by VPC BPA, blocking outbound traffic. To enable outbound traffic on Subnet A, you'd have to switch VPC BPA to Bidirectional mode.
Diagram of VPC BPA Ingress-only mode turned on and Subnet A exclusion with egress-only mode turned on:
![\[Diagram showing VPC with VPC BPA in ingress-only mode, allowing outbound traffic through NAT gateway.\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-bpa-5.png)
### 5.1 Change exclusion allow direction to egress-only
Complete this section to change the exclusion allow direction.
------
#### [ AWS Management Console ]
1. Edit the exclusion you created in Scenario 4 and change the allow direction to **Egress-only**.
1. Choose **Save changes**.
1. Wait for the **Exclusion** status to change to **Active**. It may take a few minutes for VPC BPA settings to take effect and the status to be updated. You may need to refresh the exclusion table to see the change.
------
#### [ AWS CLI ]
1. Modify the exclusion allow direction:
```
aws ec2 --region us-east-2 modify-vpc-block-public-access-exclusion --exclusion-id exclusion-id --internet-gateway-exclusion-mode allow-egress
```
It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
1. It can take time for the exclusion status to update. To view the status of the exclusion:
```
aws ec2 --region us-east-2 describe-vpc-block-public-access-exclusion
```
------
### 5.2 Connect to instances
Complete this section to connect to the instances.
------
#### [ AWS Management Console ]
1. Ping the public IPv4 address of Instance A and B. Note that traffic is blocked.
1. Connect to Instance A and B using EC2 instance connect as you did in Scenario 1 and ping www.amazon.com. Note that you cannot ping a public site on the internet from Instance A or B. Traffic is blocked.
1. Connect to Instance C and D using EC2 instance connect as you did in Scenario 1 and ping www.amazon.com from them. Note that you can ping a public site on the internet from Instance C or D. Traffic is allowed.
------
#### [ AWS CLI ]
1. Ping Instance A using the public IPv4 address to check inbound traffic:
```
ping 18.225.8.244
```
Output:
```
Pinging 18.225.8.244 with 32 bytes of data:
Request timed out.
```
Note that the ping fails and traffic is blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-058db34f9a0997895 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 18:09:55 2024 from 3.16.146.5
[ec2-user@ip-10-0-1-85 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Ping Instance B using the public IPv4 address to check inbound traffic:
```
ping 3.18.106.198
```
Output:
```
Pinging 3.18.106.198 with 32 bytes of data:
Request timed out.
```
Note that the ping fails and traffic is blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-058db34f9a0997895 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 18:09:55 2024 from 3.16.146.5
[ec2-user@ip-10-0-1-85 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Connect to Instance C. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-04eca55f2a482b2c4 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 18:00:31 2024 from 3.16.146.5
[ec2-user@ip-10-0-3-180 ~]$ ping www.amazon.com
PING www.amazon.com(2600:9000:25f3:a600:7:49a5:5fd4:b121 (2600:9000:25f3:a600:7:49a5:5fd4:b121)) 56 data bytes
64 bytes from 2600:9000:25f3:a600:7:49a5:5fd4:b121 (2600:9000:25f3:a600:7:49a5:5fd4:b121): icmp_seq=1 ttl=58 time=1.51 ms
64 bytes from 2600:9000:25f3:a600:7:49a5:5fd4:b121 (2600:9000:25f3:a600:7:49a5:5fd4:b121): icmp_seq=2 ttl=58 time=1.49 ms
```
Note that the ping is successful and traffic is not blocked.
1. Connect to Instance D. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-05f9e6a9cfac1dba0 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 18:13:55 2024 from 3.16.146.5
[ec2-user@ip-10-0-3-59 ~]$ ping www.amazon.com
PING www.amazon.com(2606:2cc0::374 (2606:2cc0::374)) 56 data bytes
64 bytes from 2606:2cc0::374 (2606:2cc0::374): icmp_seq=1 ttl=58 time=1.21 ms
64 bytes from 2606:2cc0::374 (2606:2cc0::374): icmp_seq=2 ttl=58 time=1.51 ms
```
Note that the ping is successful and traffic is not blocked.
------
## Scenario 6 - Modify VPC BPA mode
In this section you'll change the VPC BPA block direction to see how it impacts traffic. In this scenario, VPC BPA enabled in bidirectional mode blocks all traffic just like in Scenario 1. Unless an exclusion has access to a NAT gateway or egress-only internet gateway, traffic is blocked.
Diagram of VPC BPA Bidirectional mode turned on and Subnet A exclusion with egress-only mode turned on:
![\[Diagram showing VPC with VPC BPA in ingress-only mode, allowing outbound traffic through NAT gateway\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-bpa-6.png)
### 6.1 Change VPC BPA to bidirectional mode
Complete this section to change the VPC BPA mode.
------
#### [ AWS Management Console ]
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. On the left navigation pane, choose **Settings**.
1. Choose **Edit public access settings**.
1. Change the block direction to **Bidirectional** then choose **Save changes**.
1. Wait for the **Status** to change to **On**. It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
------
#### [ AWS CLI ]
1. Modify the VPC BPA block direction:
```
aws ec2 --region us-east-2 modify-vpc-block-public-access-options --internet-gateway-block-mode block-bidirectional
```
It may take a few minutes for VPC BPA settings to take effect and the status to be updated.
1. View the status of VPC BPA:
```
aws ec2 --region us-east-2 describe-vpc-block-public-access-options
```
------
### 6.2 Connect to instances
Complete this section to connect to the instances.
------
#### [ AWS Management Console ]
1. Ping the public IPv4 address of Instance A and B. Note that traffic is blocked.
1. Connect to Instance A and B using EC2 instance connect as you did in Scenario 1 and ping www.amazon.com. Note that you cannot ping a public site on the internet from Instance A or B. Traffic is blocked.
1. Connect to Instance C and D using EC2 instance connect as you did in Scenario 1 and ping www.amazon.com from them. Note that you cannot ping a public site on the internet from Instance C or D. Traffic is blocked.
------
#### [ AWS CLI ]
1. Ping Instance A using the public IPv4 address to check inbound traffic:
```
ping 18.225.8.244
```
Output:
```
Pinging 18.225.8.244 with 32 bytes of data:
Request timed out.
```
Note that the ping fails and traffic is blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-058db34f9a0997895 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 18:17:44 2024 from 3.16.146.5
[ec2-user@ip-10-0-1-85 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Ping Instance A using the public IPv4 address to check inbound traffic:
```
ping 3.18.106.198
```
Output:
```
Pinging 3.18.106.198 with 32 bytes of data:
Request timed out.
```
Note that the ping fails and traffic is blocked.
1. Use the private IPv4 address to connect and check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-058db34f9a0997895 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 18:09:55 2024 from 3.16.146.5
[ec2-user@ip-10-0-1-85 ~]$ ping www.amazon.com
PING d3ag4hukkh62yn.cloudfront.net (18.65.233.187) 56(84) bytes of data.
```
Note that the ping fails and traffic is blocked.
1. Connect to Instance C. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-04eca55f2a482b2c4 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 18:19:45 2024 from 3.16.146.5
[ec2-user@ip-10-0-3-180 ~]$ ping www.amazon.com
PING www.amazon.com(2600:9000:25f3:6200:7:49a5:5fd4:b121 (2600:9000:25f3:6200:7:49a5:5fd4:b121)) 56 data bytes
```
Note that the ping fails and traffic is blocked.
1. Connect to Instance D. Since there is no public IP address to ping, use EC2 Instance Connect to connect and then ping a public IP from the instance to check outbound traffic:
```
aws ec2-instance-connect ssh --instance-id i-05f9e6a9cfac1dba0 --region us-east-2 --connection-type eice
```
Output:
```
A newer release of "Amazon Linux" is available. Version 2023.5.20240916:
Run "/usr/bin/dnf check-release-update" for full release and version update info
, #_ ~\_ ####_ Amazon Linux 2023
~~ \_#####\ ~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 27 18:20:58 2024 from 3.16.146.5
[ec2-user@ip-10-0-3-59 ~]$ ping www.amazon.com
PING www.amazon.com(2600:9000:25f3:b400:7:49a5:5fd4:b121 (2600:9000:25f3:b400:7:49a5:5fd4:b121)) 56 data bytes
```
Note that the ping fails and traffic is blocked.
------
## Cleanup
In this section you'll delete all of the resources you've created for this advanced example. It's important to cleanup the resources to avoid excess additional charges for resources created in your account.
### Delete the CloudFormation resources
Complete this section to delete the resources you created with the CloudFormation template.
------
#### [ AWS Management Console ]
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation/](https://console.aws.amazon.com/cloudformation/).
1. Choose the VPC BPA stack.
1. Choose **Delete**.
1. Once you start deleting the stack, view the **Events** tab to view progress and ensure that the stack is deleted. You may have to [force delete the stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) for it to be fully deleted.
------
#### [ AWS CLI ]
1. Delete the CloudFormation stack. You may have to [force delete the stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) for it to be fully deleted.
```
aws cloudformation delete-stack --stack-name VPC-BPA-stack --region us-east-2
```
1. View the progress and ensure that the stack is deleted.
```
aws cloudformation describe-stack-events --stack-name VPC-BPA-stack --region us-east-2
```
------
### Track exclusion deletion using CloudTrail
Complete this section to track exclusion deletion using AWS CloudTrail. CloudTrail entries appear when you delete an exclusion.
------
#### [ AWS Management Console ]
You can view any deleted exclusions in the CloudTrail Event history by looking up **Resource type** > **AWS::EC2::VPCBlockPublicAccessExclusion** in the AWSCloudTrail console at [https://console.aws.amazon.com/cloudtrailv2/](https://console.aws.amazon.com/cloudtrailv2/).
------
#### [ AWS CLI ]
You can use the lookup-events command to view the events related to deleting exclusions:
```
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::EC2::VPCBlockPublicAccessExclusion
```
------
The advanced example is complete.