Knowledge Base

Network topology

We provide three Delivery Methods:

When optinmizing for costs we recommend the Dedicated public VPC delivery method. In case running bucketAV in a public subnet is not an option due to security regulations, use the Dedicated private VPC delivery method but expect baseline AWS costs of about $100/month for networking. The third option gives you full control over the network configuration: the Exsisting VPC delivery method. But, deploying to an existing VPCs comes with two downsides. First, in our opinion, you should isolate the network used by bucketAV to scan potentially infected files from any other networks. Second, the complexity of setting up bucketAV increases when choosing the Existing VPC delivery method.

Dedicated public VPC

VPC is managed by bucketAV. Scan Fleet runs in public subnets.

Dedicated public VPC

  • VPC
    • CIDR 10.0.0.0/16 configurable via the VpcCidrBlock configuration parameter and VpcSubnetCidrBits configuration parameter.
    • Flow Logs turned on.
    • Internet Gateway
  • Two public subnets
    • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter and high ports.
    • NACLs allow outbound port 80 (Amazon Linux 2 repo), 443 (AWS API, virus database), and high ports.
  • Public IP address
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 80 and 443.

Dedicated public VPC

  • VPC
    • CIDR 10.0.0.0/16 configurable via the VpcCidrBlock configuration parameter and VpcSubnetCidrBits configuration parameter.
    • Flow Logs turned on.
    • Internet Gateway
  • Two public subnets
    • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter and high ports.
    • NACLs allow outbound port 80 (Amazon Linux 2 repo), 443 (AWS API, virus database), and high ports restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
  • Public IP address
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 80 and 443.

Dedicated public VPC

  • VPC
    • CIDR 10.0.0.0/16 configurable via the VpcCidrBlock configuration parameter and VpcSubnetCidrBits configuration parameter.
    • Flow Logs turned on.
    • Internet Gateway
  • Two public subnets
    • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter and high ports.
    • NACLs allow outbound port 80 (Amazon Linux 2 repo), 443 (AWS API, virus database), and high ports restricted to CIDR defined in the SSHIngressCidrIp configuration parameter and high ports.
  • Public IP address
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 80 and 443.

Dedicated public VPC

  • VPC
    • CIDR 10.0.0.0/16 configurable via the VpcCidrBlock configuration parameter and VpcSubnetCidrBits configuration parameter.
    • Flow Logs turned on.
    • Internet Gateway
  • Two public subnets
    • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter and high ports.
    • NACLs allow outbound port 80 (Amazon Linux 2 repo), 443 (AWS API, virus database), and high ports restricted to CIDR defined in the SSHIngressCidrIp configuration parameter and high ports.
  • Public IP address
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 80 and 443.

Dedicated private VPC

VPC is managed by bucketAV. Scan Fleet runs in private subnets.

Dedicated private VPC

Expect costs of about $14.60/month per VPC interface endpoint plus $0.01/GB traffic! Expect costs of about $32.85/month per NAT gateway plus $0.045/GB traffic!

  • VPC
    • CIDR 10.0.0.0/16 configurable via the VpcCidrBlock configuration parameter and VpcSubnetCidrBits configuration parameter.
    • Flow Logs turned on.
    • Internet Gateway
    • NAT Gateway
  • Two public subnets
    • NACLs allow inbound ports 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database) inside VPC, as well as high ports required by NAT Gateway.
    • NACLs allow outbound ports 80, 443, as well as high ports inside VPC required by NAT Gateway.
  • Two private subnets
    • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter, 443 inside VPC, as well as high ports required by NAT Gateway.
    • NACLs allow outbound ports 80, 443, as well as high ports inside VPC plus CIDR defined in the SSHIngressCidrIp configuration parameter.
  • Gateway VPC Endpoints for DynamoDB and S3.
  • Interface VPC Endpoints for SNS, EventBridge, and SQS.
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 80 and 443.

Dedicated private VPC

Expect costs of about $14.60/month per VPC interface endpoint plus $0.01/GB traffic!

  • VPC
  • Two private subnets
    • NACLs allow inbound port 443 required by VPC interface endpoints, port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter, as well as high ports required by VPC gateway & interface endpoints.
    • NACLs allow outbound ports 80, 443, as well as high ports restricted required by VPC gateway & interface endpoints
  • Gateway VPC Endpoints for DynamoDB and S3.
  • Interface VPC Endpoints for SNS, EventBridge, SQS, EC2 Auto Scaling, STS, CloudFormation, CloudWatch, CloudWatch Logs, SSM;
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound port 443 to VPC interface endpoints, port 443 to DynamoDB and S3 APIs, and port 80 to S3 APIs.

Dedicated private VPC

Expect costs of about $14.60/month per VPC interface endpoint plus $0.01/GB traffic! Expect costs of about $32.85/month per NAT gateway plus $0.045/GB traffic!

  • VPC
    • CIDR 10.0.0.0/16 configurable via the VpcCidrBlock configuration parameter and VpcSubnetCidrBits configuration parameter.
    • Flow Logs turned on.
    • Internet Gateway
    • NAT Gateway
  • Two public subnets
    • NACLs allow inbound ports 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database) inside VPC, as well as high ports required by NAT Gateway.
    • NACLs allow outbound ports 80, 443, as well as high ports inside VPC required by NAT Gateway.
  • Two private subnets
    • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter, 443 inside VPC, as well as high ports required by NAT Gateway.
    • NACLs allow outbound ports 80, 443, as well as high ports inside VPC plus CIDR defined in the SSHIngressCidrIp configuration parameter.
  • Gateway VPC Endpoints for DynamoDB and S3.
  • Interface VPC Endpoints for SNS, EventBridge, and SQS.
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 80 and 443.

Dedicated private VPC

Expect costs of about $14.60/month per VPC interface endpoint plus $0.01/GB traffic! Expect costs of about $32.85/month per NAT gateway plus $0.045/GB traffic!

  • VPC
    • CIDR 10.0.0.0/16 configurable via the VpcCidrBlock configuration parameter and VpcSubnetCidrBits configuration parameter.
    • Flow Logs turned on.
    • Internet Gateway
    • NAT Gateway
  • Two public subnets
    • NACLs allow inbound ports 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database) inside VPC, as well as high ports required by NAT Gateway.
    • NACLs allow outbound ports 80, 443, as well as high ports inside VPC required by NAT Gateway.
  • Two private subnets
    • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter, 443 inside VPC, as well as high ports required by NAT Gateway.
    • NACLs allow outbound ports 80, 443, as well as high ports inside VPC plus CIDR defined in the SSHIngressCidrIp configuration parameter.
  • Gateway VPC Endpoints for DynamoDB and S3.
  • Interface VPC Endpoints for SNS, EventBridge, and SQS.
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 80 and 443.

Existing VPC

VPC is managed by the customer. The VPC must fulfill specific requirements defined in the Existing VPC Network Guide.

Existing VPC

  • Public IP address (can be turned of via the AssociatePublicIpAddress configuration parameter).
  • Security group
    • Allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 53 (DNS), 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database).

Existing VPC

  • Public IP address (can be turned of via the AssociatePublicIpAddress configuration parameter).
  • Security group
    • Allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 53 (DNS), 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database).

Existing VPC

  • Public IP address (can be turned of via the AssociatePublicIpAddress configuration parameter).
  • Security group
    • Allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 53 (DNS), 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database).

Existing VPC

  • Public IP address (can be turned of via the AssociatePublicIpAddress configuration parameter).
  • Security group
    • Allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 53 (DNS), 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database).

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email