Revisiting Isolated Networks in the Cloud
We previously tested how network isolation works on the major cloud platforms: Amazon AWS, Google GCP, and Microsoft Azure and concluded that only AWS was able to achieve true network isolation. Now we are revisiting those findings to see if the remaining issues have been addressed.
On each of the platforms, we started with the same simple setup. An isolated VPC and subnet without any egress gateways attached to the network and a virtual server with no public IP address running SensorFu Beacon.
On AWS and GCP this setup worked as we expected. Without either public IPs or NAT, there were no leaks from direct connections to the Internet. On Azure however, we saw that Beacon was successfully calling home with multiple protocols and ports. We found out that networks without explicit outbound connectivity have an implicit default outbound access. Adding a security group rule blocking egress Internet access stopped the leaks. This served as a reminder that proper firewalling is always important and, of course, reading the documentation.
With direct routes to the Internet plugged, it was time to address the remaining leak vector. This vector was common to all platforms.
It’s Always DNS
Each cloud platform has metadata servers that, among other things, provide recursive DNS resolution. If left unrestricted, this can be used to tunnel out of an otherwise isolated network. Last time we did these tests, only AWS allowed disabling the DNS service. Luckily things have improved since.
Previously, only AWS allowed you to disable the DNS service and use your own DNS servers. Since then the Route 53 Resolver DNS Firewall has been introduced for more fine grained control.
We were glad to find out that both Azure and GCP have since introduced options to disable or filter the DNS service.
In Azure, the DNS service can be blocked by outbound security group rules. Custom DNS servers can then be configured if needed.
GCP does not allow completely disabling the DNS service, but DNS server policies can be used to forward all queries to your own server where they can be filtered.
With these improvements we could now create truly isolated networks on all three platforms. Still, the differences in default behavior and configuration between the platforms are easy to overlook, highlighting the importance of testing the policies.
