AWS wellarchitected medium security documentation change
Summary
Added HPC-specific infrastructure protection best practices including network layer separation and traffic flow control. Expanded documentation with implementation guidance for security groups and subnet isolation in HPC clusters.
Security assessment
The changes introduce security best practices for network segmentation (separating head nodes/compute resources) and traffic control between components. References SEC05 security pillar controls for network protection. Specifically addresses security group configurations for Elastic Fabric Adapter (EFA) workloads and defense-in-depth strategies.
Diff
diff --git a/wellarchitected/latest/high-performance-computing-lens/infrastructure-protection.md b/wellarchitected/latest/high-performance-computing-lens/infrastructure-protection.md index 2d6435d03..80f303a0b 100644 --- a//wellarchitected/latest/high-performance-computing-lens/infrastructure-protection.md +++ b//wellarchitected/latest/high-performance-computing-lens/infrastructure-protection.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](welcome.html) +[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](high-performance-computing-lens.html) @@ -5 +5 @@ -# Infrastructure Protection +HPCSEC01-BP01 Separate HPC cluster components in different network layersHPCSEC01-BP02 Control traffic flow within your HPC cluster @@ -7 +7,25 @@ -There are no best practices unique to HPC for the infrastructure best practice area. Review the corresponding section in the [AWS Well-Architected Framework whitepaper](https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html). +# Infrastructure protection + +HPCSEC01: How do you implement network-layer separation in your HPC cluster? +--- + +HPC clusters can be separated by workload components into different network layers based on their data sensitivity, access requirements, and functional purpose. When separated by layers, traffic can be controlled between layers and additional controls can be applied based on layer requirements as part of a defense-in-depth security approach. + +###### Best practices + + * HPCSEC01-BP01 Separate HPC cluster components in different network layers + + * HPCSEC01-BP02 Control traffic flow within your HPC cluster + + + + +## HPCSEC01-BP01 Separate HPC cluster components in different network layers + +When architecting for [SEC05-BP01](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_create_layers.html), you create network layers and separate components into different layers. In HPC clusters, you can separate different cluster components, such as head node, login nodes, and compute resources. For example, with AWS ParallelCluster, the cluster head node can be separated from the compute resources. The head node could be running in a public subnet with the compute fleet running in a private subnet. Additionally, you could further isolate your cluster by running in private subnets with private connectivity to the cluster. + +## HPCSEC01-BP02 Control traffic flow within your HPC cluster + +According to [SEC05-BP02](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_layered.html), you control traffic flow within your network layers. You permit only the network flows necessary for the components of your workloads to communicate. When running tightly coupled HPC workloads with Elastic Fabric Adapter (EFA), EFA requires being a member of a security group allowing all inbound and outbound traffic to and from itself. Each cluster member will allow all traffic between members when processing the same EFA-based job. + +Clusters are commonly used with multiple running jobs and a single security group would be used for all EFA traffic without separation by job. If your environment requires further security separation by job, consider an alternative design, such as multiple clusters or a more advanced security group mapping, rather than having one security group for all traffic between members. @@ -15 +39 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Detective Controls +Best practices @@ -17 +41 @@ Detective Controls -Data Protection +Data protection