Network Information#

Network Layout#

LCA1 has 2 networks in 2 Availability Zones (az1 or az2) for customer use.

Customer Networks#

Shortname

Full Name

Use

Internet

oit-cld-lza-internet-az1

Deployments with direct inbound/outbound internet access.

Internet

oit-cld-lza-internet-az2

Deployments with direct inbound/outbound internet access.

Private

oit-cld-lza-private-az1

Deployments that need direct access to campus resources or that should not be exposed to the internet directly.

Private

oit-cld-lza-private-az2

Deployments that need direct access to campus resources or that should not be exposed to the internet directly.

oit-cld-lza-fw-internet-az1

Not for customer deployments. Infrastructure network.

oit-cld-lza-fw-internet-az2

Not for customer deployments. Infrastructure network.

oit-cld-lza-fw-private-az1

Not for customer deployments. Infrastructure network.

oit-cld-lza-fw-private-az2

Not for customer deployments. Infrastructure network.

oit-cld-lza-tgw-az1

Not for customer deployments. Infrastructure network.

oit-cld-lza-tgw-az2

Not for customer deployments. Infrastructure network.

Network Protection#

OIT Managed Firewall#

Both the Internet network and Private network route through an OIT firewall. The OIT firewall allows select, well known, applications inbound to the Internet network by default. Connections to/from campus to the Private network are generally allowed by default with some exceptions. The OIT firewall protects deployments by preventing connections from:

Internet network#

  • Curated list of known bad actors

  • High Risk Applications

  • Internet port scans

Private network#

  • High Risk Applications

  • CU Boulder ResNet

  • CU Boulder UCB Wireless

  • CU Boulder Guest Wireless

Customer Managed Security Groups#

Both Internet and Private networks should also utilize AWS Security Groups, which are customer deployed, for granular controls. Security Groups use IP Source/Destination addresses and TCP/UDP Source/Destination Ports for filtering.

Security Groups vs OIT Firewall#

The OIT firewall is application-aware, which means it can identify an application based off of network behavior in addition to port and protocol. As an example, it can prevent a SQL packet from using a 22/TCP exception that was intended to allow SSH. Changes to OIT firewall policy require a ticket to rc-help@colorado.edu.

Security Groups are within the customer’s span of control. This means they can modify Security Groups quickly to meet security requirements without engaging an external group. Security Groups can dynamically reference AWS resources but are not able to identify traffic by network behavior.

Network Routing#

VPN#

Connectivity to CU Boulder networks is through redundant VPN tunnels. These tunnels use advanced encryption algorithms to secure connections between the Private network and the CU Boulder campus. These tunnels provide access to:

  • CU Boulder Public Networks

  • CU Boulder Private Networks

  • CU Boulder DNS lookups for public/private domain names

Private network#

  • Internet: Routes to internet via Network Address Translation (NAT), no inbound from internet

  • Campus: Routes through the VPN to and from campus, private campus IP subnets and internal DNS supported

  • Intra VPC: Routes directly to other VPC networks in the same account

Internet network#

  • Internet: Routes directly to and from the internet

  • Campus: Routes through public internet, no connectivity to private campus IP subnets and internal DNS

  • Intra VPC: Routes directly to other VPC networks in the same account

Note

The Internet network does not route through the VPN tunnel. Customer deployments in the Internet network may require a firewall exception at the campus Border Firewall in order to access some CU Boulder resources.