# Networking Networking **Note** Creating a VPC network is **optional** with Amazon MWAA Serverless. An Amazon VPC is a virtual network that is linked to your AWS account. It gives you cloud security and the ability to scale dynamically by providing fine-grained control over your virtual infrastructure and network traffic segmentation. This page describes the Amazon VPC infrastructure with *public routing* (Amazon VPC network has access to the internet) or *private routing* (Amazon VPC network doees not have access to the internet). To learn more about VPCs in AWS, refer to [AWS PrivateLink concepts](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html). ## VPC support The following table describes the types of Amazon VPCs Amazon MWAA Serverless supports. | Amazon VPC types | Supported | | --- | --- | | An Amazon VPC owned by the customer that is attempting to create the workflow. | Yes | | A shared Amazon VPC owned by service to host customer tasks. | Yes | ## VPC infrastructure overview VPC endpoints appear as Elastic Network Interfaces (ENIs) with private IPs in your Amazon VPC. After these endpoints are created, any traffic destined to these IPs is privately or publicly routed to the corresponding AWS services that are used by your workflow. The following section describes the Amazon VPC infrastructure required to route traffic publicly *over the internet*, or privately *within your Amazon VPC*. ### Public routing over the internet This section describes the Amazon VPC infrastructure of a workflow with public routing. You'll need the following VPC infrastructure: + **One VPC security group**. A VPC security group acts as a virtual firewall to control ingress (inbound) and egress (outbound) network traffic on an instance. + Up to 5 security groups can be specified. + The security groups **must** be part of the same VPC. + The security group **must** specify a self-referencing inbound rule to itself. + The security group **must** specify an outbound rule for all traffic (`0.0.0.0/0`; for IPv6, use `::/0`). + The security group **must** allow all traffic in the self-referencing rule. For example, [(Recommended) Example all access self-referencing security group](networking-security.md#networking-security-sg-example). + **Two private subnets**. A private subnet is a subnet that's **not** associated with a route table that has a route to an internet gateway. + **Minimum 2** and **Minimum 16** subnets are supported in Amazon MWAA Serverless. + These subnets **must** be private. + At least two subnets **must** be in different Availability Zones. For example, `us-east-1a`, `us-east-1b`. This allows Amazon MWAA Serverless to run your workflow tasks in your other availability zone, if one container fails. + The subnets **must** have a route table to a NAT device (gateway or instance). + The subnets **must not** route to an internet gateway. + Set `assignIpV6AddressOnCreation` to `true` for IPv6 subnets. + For IPv6 private subnets, you **must** have a connection to an egress-only internet gateway (EIGW). + **A network access control list (ACL)**. An NACL manages (by allow or deny rules) inbound and outbound traffic at the subnet level. + The NACL **must** have an inbound rule that allows all traffic (`0.0.0.0/0`; for IPv6, use `::/0`). + The NACL **must** have an outbound rule that allows all traffic (`0.0.0.0/0`; for IPv6, use `::/0`). + **Two NAT gateways (or NAT instances)**. A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then routes the response back to the instances. + The NAT device **must** be attached to a public subnet. (One NAT device per public subnet.) + The NAT device **must** have an Elastic IPv4 Address (EIP) attached to each public subnet. + **An internet gateway**. An internet gateway connects an Amazon VPC to the internet and other AWS services. + An internet gateway **must** be attached to the Amazon VPC. ### Private routing without internet access This section describes the Amazon VPC infrastructure of a workflow with *private routing*. You'll need the following VPC infrastructure: + **One VPC security group**. A VPC security group acts as a virtual firewall to control ingress (inbound) and egress (outbound) network traffic on an instance. + Up to 5 security groups can be specified. + The security groups **must** be part of the same VPC. + The security group must specify a self-referencing inbound rule to itself. + The security group must specify an outbound rule for all traffic (`0.0.0.0/0`; for IPv6, use `::/0`). + **Two private subnets**. A private subnet is a subnet that's **not** associated with a route table that has a route to an internet gateway. + **Minimum 2** and **Minimum 16** subnets are supported in Amazon MWAA Serverless. + These subnets **must** be private. + At least two subnets **must** be in different Availability Zones. For example, `us-east-1a`, `us-east-1b`. This allows Amazon MWAA Serverless to run your workflow tasks in your other availability zone, if one container fails. + The subnets **must** have a route table to your VPC endpoints. + The subnets **must** have a route table to an EIGW in order to download from the internet as part of a DAG. + The subnets **must not** have a route table to a NAT device (gateway or instance), **nor** an internet gateway. + **A network access control list (ACL)**. An NACL manages (by allow or deny rules) inbound and outbound traffic at the subnet level. + The NACL **must** have an inbound rule that allows all traffic (`0.0.0.0/0`; for IPv6, use `::/0`). + The NACL **must** have an outbound rule that denies all traffic (`0.0.0.0/0`; for IPv6, use `::/0`). + For example, [(Recommended) Example ACLs](networking-security.md#networking-security-acl-example). + **A local route table**. A local route table is a default route for communication within the VPC. + The local route table **must** be associated to your private subnets. + The local route table **must** enable instances in your VPC to communicate with your own network. For example, if you're using an AWS Client VPN to access the VPC interface endpoint for your Apache Airflow *Web server*, the route table must route to the VPC endpoint. + **VPC endpoints** for each AWS service that your workflow uses, and Apache Airflow VPC endpoints in the same AWS Region and Amazon VPC as your Amazon MWAA Serverless workflow. + A VPC endpoint for each AWS service that your workflow uses and VPC endpoints for Apache Airflow. + The VPC endpoints **must** have private DNS enabled. + The VPC endpoints **must** be associated to your workflow's two private subnets. + The VPC endpoints **must** be associated to your workflow's security group. + The VPC endpoint policy for each endpoint should be configured to allow access to AWS services used by the workflow. For example, [(Recommended) Example VPC endpoint policy to allow all access](networking-security.md#networking-security-policies-all). + A VPC endpoint policy for Amazon S3 should be configured to allow bucket access. For example, [(Recommended) Example Amazon S3 gateway endpoint policy to allow bucket access](networking-security.md#networking-security-external-policies-s3). # Create a VPC network Creating a VPC network is **optional** with Amazon MWAA Serverless. This section describes the different options you can use if you choose to create a Amazon VPC network. To learn how to manage access to your VPC, refer to [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html). **Tip** Apache Airflow works best in a low-latency network environment. If you are using an existing Amazon VPC which routes traffic to another region or to an on-premise environment, we recommended adding AWS PrivateLink endpoints for CloudWatch and AWS KMS. For more information about configuring AWS PrivateLink for Amazon MWAA Serverless, refer to [Access Amazon MWAA Serverless using an interface endpoint (AWS PrivateLink)](networking-privatelink.md). ## Prerequisites The AWS Command Line Interface (AWS CLI) is an open source tool that enables you to interact with AWS services using commands in your command-line shell. To complete the steps on this page, you need the following: + [Install AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html). + [Quick configuration with `aws configure`](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html). ## Create your Amazon VPC network You have the following options to create a Amazon VPC network: + [Create an Amazon VPC network with internet access](#create-vpc-template-private-public) + [Create an Amazon VPC network without internet access](#create-vpc-template-private) **Note** Amazon MWAA Serverless does not support the use of `use1-az3` Availability Zone (AZ) in the US East (N. Virginia) Region. When creating the VPC for Amazon MWAA Serverless in the US East (N. Virginia) region, you must explicitly assign the `AvailabilityZone` in the CloudFormation en(CFN) template. The assigned availability zone name must not be mapped to `use1-az3`. You can retrieve the detailed mapping of AZ names to their corresponding AZ IDs by running the following command: ``` aws ec2 describe-availability-zones --region us-east-1 ``` For more information about VPCs and networking, refer to [Get started with AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/getting-started.html) in the AWS PrivateLink User Guide. ### Create an Amazon VPC network with internet access The following CloudFormation template creates an Amazon VPC network *with internet access* in your default AWS Region. This option uses public routing over the internet. This template can be used for an Apache Airflow *Web server* with the **Private network** or **Public network** access modes. 1. Copy the contents of the following template and save locally as `cfn-vpc-public-private.yaml`. ``` Description: This template deploys a VPC, with a pair of public and private subnets spread across two Availability Zones. It deploys an internet gateway, with a default route on the public subnets. It deploys a pair of NAT gateways (one in each AZ), and default routes for them in the private subnets. Parameters: EnvironmentName: Description: An environment name that is prefixed to resource names Type: String Default: mwaa- VpcCIDR: Description: Please enter the IP range (CIDR notation) for this VPC Type: String Default: 10.192.0.0/16 PublicSubnet1CIDR: Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone Type: String Default: 10.192.10.0/24 PublicSubnet2CIDR: Description: Please enter the IP range (CIDR notation) for the public subnet in the second Availability Zone Type: String Default: 10.192.11.0/24 PrivateSubnet1CIDR: Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone Type: String Default: 10.192.20.0/24 PrivateSubnet2CIDR: Description: Please enter the IP range (CIDR notation) for the private subnet in the second Availability Zone Type: String Default: 10.192.21.0/24 Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCIDR EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref EnvironmentName InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Ref EnvironmentName InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PublicSubnet1CIDR MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Subnet (AZ1) PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 1, !GetAZs '' ] CidrBlock: !Ref PublicSubnet2CIDR MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Subnet (AZ2) PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PrivateSubnet1CIDR MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub ${EnvironmentName} Private Subnet (AZ1) PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 1, !GetAZs '' ] CidrBlock: !Ref PrivateSubnet2CIDR MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub ${EnvironmentName} Private Subnet (AZ2) NatGateway1EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc NatGateway2EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc NatGateway1: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway1EIP.AllocationId SubnetId: !Ref PublicSubnet1 NatGateway2: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway2EIP.AllocationId SubnetId: !Ref PublicSubnet2 PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Routes DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet1 PublicSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet2 PrivateRouteTable1: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName} Private Routes (AZ1) DefaultPrivateRoute1: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable1 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway1 PrivateSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable1 SubnetId: !Ref PrivateSubnet1 PrivateRouteTable2: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName} Private Routes (AZ2) DefaultPrivateRoute2: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable2 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway2 PrivateSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable2 SubnetId: !Ref PrivateSubnet2 SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: "mwaa-security-group" GroupDescription: "Security group with a self-referencing inbound rule." VpcId: !Ref VPC SecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref SecurityGroup IpProtocol: "-1" SourceSecurityGroupId: !Ref SecurityGroup Outputs: VPC: Description: A reference to the created VPC Value: !Ref VPC PublicSubnets: Description: A list of the public subnets Value: !Join [ ",", [ !Ref PublicSubnet1, !Ref PublicSubnet2 ]] PrivateSubnets: Description: A list of the private subnets Value: !Join [ ",", [ !Ref PrivateSubnet1, !Ref PrivateSubnet2 ]] PublicSubnet1: Description: A reference to the public subnet in the 1st Availability Zone Value: !Ref PublicSubnet1 PublicSubnet2: Description: A reference to the public subnet in the 2nd Availability Zone Value: !Ref PublicSubnet2 PrivateSubnet1: Description: A reference to the private subnet in the 1st Availability Zone Value: !Ref PrivateSubnet1 PrivateSubnet2: Description: A reference to the private subnet in the 2nd Availability Zone Value: !Ref PrivateSubnet2 SecurityGroupIngress: Description: Security group with self-referencing inbound rule Value: !Ref SecurityGroupIngress ``` 1. In your command prompt, navigate to the directory where `cfn-vpc-public-private.yaml` is stored. For example: ``` cd mwaaproject ``` 1. Use the [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html) command to create the stack using the AWS CLI. ``` aws cloudformation create-stack --stack-name mwaa-serverless-workflow --template-body file://cfn-vpc-public-private.yaml ``` **Note** It takes about 30 minutes to create the Amazon VPC infrastructure. ### Create an Amazon VPC network without internet access The following CloudFormation template creates an Amazon VPC network *without internet access* in your default AWS Region. This option uses private routing without internet access. You can use this template for an Apache Airflow *Web server* with **Private network** access mode only. It creates the required VPC endpoints for the AWS services that are used by a workflow. For more information, refer to [Attaching the required VPC endpoints](https://docs.aws.amazon.com/mwaa/latest/userguide/vpc-vpe-create-access.html#vpc-vpe-create-view-endpoints-attach-all) in the Amazon MWAA User Guide. 1. Copy the contents of the following template and save locally as `cfn-vpc-private.yaml`. ``` AWSTemplateFormatVersion: "2010-09-09" Parameters: VpcCIDR: Description: The IP range (CIDR notation) for this VPC Type: String Default: 10.192.0.0/16 PrivateSubnet1CIDR: Description: The IP range (CIDR notation) for the private subnet in the first Availability Zone Type: String Default: 10.192.10.0/24 PrivateSubnet2CIDR: Description: The IP range (CIDR notation) for the private subnet in the second Availability Zone Type: String Default: 10.192.11.0/24 Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCIDR EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref AWS::StackName RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-route-table" PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PrivateSubnet1CIDR MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub "${AWS::StackName} Private Subnet (AZ1)" PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 1, !GetAZs '' ] CidrBlock: !Ref PrivateSubnet2CIDR MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub "${AWS::StackName} Private Subnet (AZ2)" PrivateSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTable SubnetId: !Ref PrivateSubnet1 PrivateSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTable SubnetId: !Ref PrivateSubnet2 SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref VPC GroupDescription: Security Group for Amazon MWAA Environments to access VPC endpoints GroupName: !Sub "${AWS::StackName}-mwaa-serverless-security-group" SecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref SecurityGroup IpProtocol: "-1" SourceSecurityGroupId: !Ref SecurityGroup CloudWatchLogsVpcEndoint: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: !Sub "com.amazonaws.${AWS::Region}.logs" VpcEndpointType: Interface VpcId: !Ref VPC PrivateDnsEnabled: true SubnetIds: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 SecurityGroupIds: - !Ref SecurityGroup CloudWatchMonitoringVpcEndoint: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: !Sub "com.amazonaws.${AWS::Region}.monitoring" VpcEndpointType: Interface VpcId: !Ref VPC PrivateDnsEnabled: true SubnetIds: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 SecurityGroupIds: - !Ref SecurityGroup KmsVpcEndoint: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: !Sub "com.amazonaws.${AWS::Region}.kms" VpcEndpointType: Interface VpcId: !Ref VPC PrivateDnsEnabled: true SubnetIds: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 SecurityGroupIds: - !Ref SecurityGroup Outputs: VPC: Description: A reference to the created VPC Value: !Ref VPC MwaaSecurityGroupId: Description: Associates the Security Group to the environment to allow access to the VPC endpoints Value: !Ref SecurityGroup PrivateSubnets: Description: A list of the private subnets Value: !Join [ ",", [ !Ref PrivateSubnet1, !Ref PrivateSubnet2 ]] PrivateSubnet1: Description: A reference to the private subnet in the 1st Availability Zone Value: !Ref PrivateSubnet1 PrivateSubnet2: Description: A reference to the private subnet in the 2nd Availability Zone Value: !Ref PrivateSubnet2 ``` 1. In your command prompt, navigate to the directory where `cfn-vpc-private.yml` is stored. For example: ``` cd mwaaproject ``` 1. Use the [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html) command to create the stack using the AWS CLI. ``` aws cloudformation create-stack --stack-name mwaa-serverless-private-workflow --template-body file://cfn-vpc-private.yml ``` **Note** It takes about 30 minutes to create the Amazon VPC infrastructure. 1. You'll need to create a mechanism to access these VPC endpoints from your computer. To learn more, refer to [Managing access to service-specific Amazon VPC endpoints on Amazon MWAA](https://docs.aws.amazon.com/mwaa/latest/userguide/vpc-vpe-access.html) in the Amazon MWAA User Guide. **Note** You can further restrict outbound access in the CIDR of your Amazon MWAA Serverless security group. For example, you can restrict to itself by adding a self-referencing outbound rule and the CIDR of your Amazon VPC. # Security in your VPC on Amazon MWAA Serverless Security in your VPC Learn about the Amazon VPC components used to secure your Amazon MWAA Serverless workflow and the configurations needed for these components. **Contents** + [ ## Security overview ](#networking-security-about) + [ ## Network access control lists (ACLs) ](#networking-security-acl) + [ ### (Recommended) Example ACLs ](#networking-security-acl-example) + [ ## VPC security groups ](#networking-security-sg) + [ ### (Recommended) Example all access self-referencing security group ](#networking-security-sg-example) + [ ### (Optional) Example security group that restricts inbound access to port 443 ](#networking-security-sg-port443) + [ ## VPC endpoint policies (private routing only) ](#networking-security-policies) + [ ### (Recommended) Example VPC endpoint policy to allow all access ](#networking-security-policies-all) + [ ### (Recommended) Example Amazon S3 gateway endpoint policy to allow bucket access ](#networking-security-external-policies-s3) ## Security overview Security groups and access control lists (ACLs) provide ways to control the network traffic across the subnets and instances in your Amazon VPC using rules that you specify. + Network traffic to and from a subnet can be controlled by ACLs. You only need one ACL, and the same ACL can be used on multiple workflows. + Network traffic to and from an instance can be controlled by an Amazon VPC security group. You can use between one and five security groups per workflow. + Network traffic to and from an instance can also be controlled by VPC endpoint policies. If internet access within your Amazon VPC is not allowed by your organization and you're using an Amazon VPC network with *private routing*, a VPC endpoint is required. You can optionally attach a policy to the endpoint to further restrict access to specific resources that are relevant to the service for which the endpoint was created. For example, if you have a AWS KMS VPC endpoint, you can write a policy that restricts actions to certain AWS KMS keys. ## Network access control lists (ACLs) A [network access control list (ACL)](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) can manage (by allow or deny rules) inbound and outbound traffic at the *subnet* level. An ACL is stateless, which means that inbound and outbound rules must be specified separately and explicitly. It is used to specify the types of network traffic that are allowed in or out from the instances in a VPC network. Every Amazon VPC has a default ACL that allows all inbound and outbound traffic. You can edit the default ACL rules, or create a custom ACL and attach it to your subnets. A subnet can only have one ACL attached to it at any time, but one ACL can be attached to multiple subnets. ### (Recommended) Example ACLs The following example shows the *inbound* and *outbound* ACL rules that can be used for an Amazon VPC with *public routing* (Amazon VPC network has access to the internet) or *private routing* (Amazon VPC network doees not have access to the internet). | Rule number | Type | Protocol | Port range | Source | Allow or deny | | --- | --- | --- | --- | --- | --- | | 100 | All IPv4 traffic | All | All | 0.0.0.0/0 | Allow | | \$1 | All IPv4 traffic | All | All | 0.0.0.0/0 | Deny | ## VPC security groups A [VPC security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) acts as a virtual firewall that controls the network traffic at the *instance* level. A security group is stateful, which means that when an inbound connection is permitted, it is allowed to reply. It is used to specify the types of network traffic that are allowed in from the instances in a VPC network. Every Amazon VPC has a default security group. By default, it has no inbound rules. It has an outbound rule that allows all outbound traffic. You can edit the default security group rules, or create a custom security group and attach it to your Amazon VPC. On Amazon MWAA, you need to configure inbound and outbound rules to direct traffic on your NAT gateways. ### (Recommended) Example all access self-referencing security group The following example shows the *inbound* security group rules that allows all traffic for an Amazon VPC with *public routing* or *private routing*. The security group in this example is a self-referencing rule to itself. | Type | Protocol | Source Type | Source | | --- | --- | --- | --- | | All traffic | All | All | sg-0909e8e81919 / my-mwaa-serverless-vpc-security-group | The following example shows the *outbound* security group rules. | Type | Protocol | Source Type | Source | | --- | --- | --- | --- | | All traffic | All | All | 0.0.0.0/0 | test ### (Optional) Example security group that restricts inbound access to port 443 The following example shows the *inbound* security group rules that allow all TCP traffic on port 443 for the Apache Airflow *Web server*. | Type | Protocol | Port range | Source type | Source | | --- | --- | --- | --- | --- | | HTTPS | TCP | 443 | Custom | sg-0909e8e81919 / my-mwaa-serverless-vpc-security-group | ## VPC endpoint policies (private routing only) A VPC endpoint (AWS PrivateLink) policy controls access to AWS services from your private subnet. A VPC endpoint policy is an IAM resource policy that you attach to your VPC gateway or interface endpoint. This section describes the permissions needed for the VPC endpoint policies for each VPC endpoint. We recommend using a VPC interface endpoint policy for each of the VPC endpoints you created that allows full access to all AWS services, and using your execution role exclusively for AWS permissions. ### (Recommended) Example VPC endpoint policy to allow all access The following example shows a VPC interface endpoint policy for an Amazon VPC with *private routing*. ``` { "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": "*" } ] } ``` ### (Recommended) Example Amazon S3 gateway endpoint policy to allow bucket access The following example shows a VPC gateway endpoint policy that provides access to the Amazon S3 buckets required for Amazon ECR operations for an Amazon VPC with *private routing*. This is required for your Amazon ECR image to be retrieved, in addition to the bucket where your DAGs and supporting files are stored. ``` { "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": "*", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::prod-us-east-1-starport-layer-bucket/*"] } ] } ``` # Access Amazon MWAA Serverless using an interface endpoint (AWS PrivateLink) AWS PrivateLink You can use AWS PrivateLink to create a private connection between your VPC and Amazon MWAA Serverless. You can access Amazon MWAA Serverless as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or Direct Connect connection. Instances in your VPC don't need public IP addresses to access Amazon MWAA Serverless. You establish this private connection by creating an *interface endpoint*, powered by AWS PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for Amazon MWAA Serverless. For more information, refer to [Access AWS services through AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) in the *AWS PrivateLink Guide*. ## Considerations for Amazon MWAA Serverless Considerations Before you set up an interface endpoint for Amazon MWAA Serverless, review [Considerations](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints) in the *AWS PrivateLink Guide*. Amazon MWAA Serverless supports making calls to all of its API actions through the interface endpoint. VPC endpoint policies are supported for Amazon MWAA Serverless. By default, full access to Amazon MWAA Serverless is allowed through the interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Amazon MWAA Serverless through the interface endpoint. ## Create an interface endpoint for Amazon MWAA Serverless Create an interface endpoint You can create an interface endpoint for Amazon MWAA Serverless using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, refer to [Create an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the *AWS PrivateLink Guide*. Create an interface endpoint for Amazon MWAA Serverless using the following service name: ``` com.amazonaws.region.airflow-serverless ``` If you enable private DNS for the interface endpoint, you can make API requests to Amazon MWAA Serverless using its default Regional DNS name. For example, `airflow-serverless.us-east-1.api.com`. ## Create an endpoint policy for your interface endpoint Create an endpoint policy An endpoint policy is an IAM resource that you can attach to an interface endpoint. The default endpoint policy allows full access to Amazon MWAA Serverless through the interface endpoint. To control the access allowed to Amazon MWAA Serverless from your VPC, attach a custom endpoint policy to the interface endpoint. An endpoint policy specifies the following information: + The principals that can perform actions (AWS accounts, IAM users, and IAM roles). + The actions that can be performed. + The resources on which the actions can be performed. For more information, refer to [Control access to services using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *AWS PrivateLink Guide*. **Example: VPC endpoint policy for Amazon MWAA Serverless actions** The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed Amazon MWAA Serverless actions for all principals on all resources. ``` { "Statement": [ { "Principal": "*", "Effect": "Allow", "Action": [ "airflow-serverless:GetWorkflow", "airflow-serverless:ListWorkflows" ], "Resource":"*" } ] } ```