AWS vpc medium security documentation change
Summary
Added warning about VPC Block Public Access interaction with ingress routing
Security assessment
Documents a critical security configuration detail where VPC Block Public Access (BPA) subnet-level exclusions don't work with ingress routing, potentially leading to unintended traffic blocking or exposure. Provides guidance to disable BPA or use VPC-level exclusions.
Diff
diff --git a/vpc/latest/userguide/igw-ingress-routing.md b/vpc/latest/userguide/igw-ingress-routing.md index 35bafcba2..982acae07 100644 --- a//vpc/latest/userguide/igw-ingress-routing.md +++ b//vpc/latest/userguide/igw-ingress-routing.md @@ -128 +128 @@ This feature only works with the public IP CIDRs that you bring to AWS following -**Important best practices** +**Best practices** @@ -136,0 +137,11 @@ This feature only works with the public IP CIDRs that you bring to AWS following +###### Important + +If you are using [VPC Block Public Access (BPA)](./security-vpc-bpa.html), when BPA is enabled, it will block traffic to subnets using ingress routing, even if you've set a subnet-level BPA exclusion. Subnet-level exclusions do not work for ingress routing. To allow ingress routing traffic with BPA enabled: + + * Disable BPA completely, or + + * Use a VPC-level exclusion + + + +