Network topology
We provide three Delivery Methods:
- Dedicated public VPC (recommended)
- Dedicated private VPC
- Existing VPC
We recommend using the Dedicated public VPC or Dedicated private VPC delivery method for two reasons. First, in our opinion, you should isolate the network used by bucketAV to scan potentially infected files from any other networks. Second, the complexity of setting up bucketAV increases when choosing the Existing VPC delivery method.
Dedicated public VPC
VPC is managed by bucketAV. Scan Fleet runs in public subnets.
- VPC
- CIDR
10.0.0.0/16
- Flow Logs turned on.
- Internet Gateway
- CIDR
- Two public subnets
- NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter and high ports.
- NACLs allow outbound port 80 (Amazon Linux 2 repo), 443 (AWS API, virus database), and high ports.
- Public IP address
- Security group
- Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
- Allow outbound ports 80 and 443.
Dedicated private VPC
VPC is managed by bucketAV. Scan Fleet runs in private subnets.
- VPC
- CIDR
10.0.0.0/16
- Flow Logs turned on.
- Internet Gateway
- NAT Gateway
- CIDR
- Two public subnets
- NACLs allow inbound ports 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database) inside VPC, as well as high ports (required by NAT Gateway).
- NACLs allow outbound ports 80, 443, as well as high ports inside VPC (required by NAT Gateway).
- Two private subnets
- NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter, 443 inside VPC, as well as high ports (required by NAT Gateway).
- NACLs allow outbound ports 80, 443, as well as high ports inside VPC plus CIDR defined in the SSHIngressCidrIp configuration parameter.
- Gateway VPC Endpoints for S3
- Interface VPC Endpoints for SNS, and SQS
- Security group is restricted to traffic from scanners only.
- Security group
- Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
- Allow outbound ports 80 and 443.
Existing VPC
VPC is managed by the customer. The VPC must fulfill specific requirements defined in the Existing VPC Network Guide.
- Public IP address (can be turned of via the AssociatePublicIpAddress configuration parameter).
- Security group
- Allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
- Allow outbound ports 53 (DNS), 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database).