Network topology

We provide three Delivery Methods:

• Dedicated public VPC (recommended)
• Dedicated private VPC
• Existing VPC

When optinmizing for costs we recommend the Dedicated public VPC delivery method. In case running bucketAV in a public subnet is not an option due to security regulations, use the Dedicated private VPC delivery method but expect baseline AWS costs of about $100/month for networking. The third option gives you full control over the network configuration: the Exsisting VPC delivery method. But, deploying to an existing VPCs comes with two downsides. First, in our opinion, you should isolate the network used by bucketAV to scan potentially infected files from any other networks. Second, the complexity of setting up bucketAV increases when choosing the Existing VPC delivery method.

Dedicated public VPC

VPC is managed by bucketAV. Scan Fleet runs in public subnets.

• VPC
  • CIDR 10.0.0.0/16
  • Flow Logs turned on.
  • Internet Gateway
• Two public subnets
  • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter and high ports.
  • NACLs allow outbound port 80 (Amazon Linux 2 repo), 443 (AWS API, virus database), and high ports.
• Public IP address
• Security group
  • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
  • Allow outbound ports 80 and 443.

Dedicated private VPC

VPC is managed by bucketAV. Scan Fleet runs in private subnets.

Expect baseline costs of about $100/month for VPC endpoints.

bucketAV powered by ClamAV

• VPC
  • CIDR 10.0.0.0/16
  • Flow Logs turned on.
• Two private subnets
  • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter, as well as high ports (required by VPC Endpoints).
  • NACLs allow outbound ports 80, 443, as well as high ports restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
• Gateway VPC Endpoints for S3.
• Interface VPC Endpoints for SNS, SQS, CloudWatch, CloudWatch Logs, CloudFormation, SSM;
• Security group
  • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
  • Allow outbound port 443 to Interface VPC Endpoints and ports 80 and 443 to Amazon S3 IP ranges.

bucketAV powered by Sophos

• VPC
  • CIDR 10.0.0.0/16
  • Flow Logs turned on.
  • Internet Gateway
  • NAT Gateway
• Two public subnets
  • NACLs allow inbound ports 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database) inside VPC, as well as high ports (required by NAT Gateway).
  • NACLs allow outbound ports 80, 443, as well as high ports inside VPC (required by NAT Gateway).
• Two private subnets
  • NACLs allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter, 443 inside VPC, as well as high ports (required by NAT Gateway).
  • NACLs allow outbound ports 80, 443, as well as high ports inside VPC plus CIDR defined in the SSHIngressCidrIp configuration parameter.
• Gateway VPC Endpoints for S3.
• Interface VPC Endpoints for SNS, and SQS.
• Security group
  • Allow inbound port 22 restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
  • Allow outbound ports 80 and 443.

Existing VPC

VPC is managed by the customer. The VPC must fulfill specific requirements defined in the Existing VPC Network Guide.

• Public IP address (can be turned of via the AssociatePublicIpAddress configuration parameter).
• Security group
  • Allow inbound port 22 (SSH) restricted to CIDR defined in the SSHIngressCidrIp configuration parameter.
  • Allow outbound ports 53 (DNS), 80 (Amazon Linux 2 repo) and 443 (AWS API, virus database).