Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Does VPC isolate DDoS attack?

0

There could be several circumstances to discuss:

Q1. EC2 A in VPC1 & EC2 B in VPC2 (no matter from the same account or not): If EC2 A is under a DDoS attack that fills up all the network bandwidth the VPC1 has, will that DDoS possibly also have some bad impacts on EC2 B from VPC2? (RTT latency spike, or packet loss whatsoever)

Q2. EC2 A & EC2 B in the same VPC but different AZ: If EC2 A is under a DDoS attack that fills up all the network bandwidth the VPC has, will that DDoS possibly also have some bad impacts on EC2 B? (RTT latency spike, or packet loss whatsoever)

Q3. EC2 A & EC2 B in the same VPC also the same AZ: If EC2 A is under a DDoS attack that fills up all the network bandwidth the VPC has, will that DDoS possibly also have some bad impacts on EC2 B? (RTT latency spike, or packet loss whatsoever)

Thank you very much :-)

Topics
ComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon EC2Amazon VPCDDOS Protection
Language
English
asked 2 years ago345 views
2 Answers
1
Accepted Answer

Turning this around a little: It isn't about the bandwidth limit within the VPC; it is the bandwidth limit on each instance that is the thing to watch. In general, there is no limit on the amount of bandwidth within a VPC.

Check out the EC2 instance specifications - there you'll see that each instance type has specific bandwidth limits.

If an instance is experiencing a high volume of traffic then the ability of that instance to communicate with anything else (other instances; other hosts outside AWS) will likely be impacted.

To answer the questions more specifically:

  1. No, but if instance B is dependent on instance A to perform its task(s) then there will be an impact but it is not a direct impact, only a consequence of not being able to communicate in a timely manner with instance A. The instance bandwidth available to instance A is separate to that available to instance B.
  2. See (1).
  3. See (1).
AWS
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
  • zentic
    2 years ago

    Very comprehensive and really helpful, thanks a lot :-)

0

Just adding some additional context - the potential for 'nosy neighbor' impact exists in any multi-tenanted environment, however AWS has protections at both the internet network border (Shield standard) and in the EC2 border (for east-west traffic) to mitigate such impact.

AWS
EXPERT
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content