Network topology

We provide three Delivery Methods:

We recommend using the Dedicated public VPC or Dedicated private VPC delivery method for two reasons. First, in our opinion, you should isolate the network used by bucketAV to scan potentially infected files from any other networks. Second, the complexity of setting up bucketAV increases when choosing the Existing VPC delivery method.

Dedicated public VPC

VPC is managed by bucketAV. Scan Fleet runs in public subnets.

Dedicated public VPC

  • VPC
    • CIDR 10.0.0.0/16
    • Flow Logs turned on.
    • Internet Gateway
  • Two public subnets
    • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter and high ports.
    • NACLs allow outbound port 80 (Amazon Linux 2 repo), 443 (AWS API, virus database), and high ports.
  • Public IP address
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 80 and 443.

Dedicated private VPC

VPC is managed by bucketAV. Scan Fleet runs in private subnets.

Dedicated private VPC

  • VPC
    • CIDR 10.0.0.0/16
    • Flow Logs turned on.
    • Internet Gateway
    • NAT Gateway
  • Two public subnets
    • NACLs allow inbound ports 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database) inside VPC, as well as high ports (required by NAT Gateway).
    • NACLs allow outbound ports 80, 443, as well as high ports inside VPC (required by NAT Gateway).
  • Two private subnets
    • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter, 443 inside VPC, as well as high ports (required by NAT Gateway).
    • NACLs allow outbound ports 80, 443, as well as high ports inside VPC plus CIDR defined in the SSHIngressCidrIp configuration parameter.
  • Gateway VPC Endpoints for S3
  • Interface VPC Endpoints for SNS, and SQS
    • Security group is restricted to traffic from scanners only.
  • Security group
    • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 80 and 443.

Existing VPC

VPC is managed by the customer. The VPC must fulfill specific requirements defined in the Existing VPC Network Guide.

Existing VPC

  • Public IP address (can be turned of via the AssociatePublicIpAddress configuration parameter).
  • Security group
    • Allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
    • Allow outbound ports 53 (DNS), 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database).

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email