Enhanced security with DMZ architecture using Amazon VPC Block Public Access
Networking & Content Delivery Blog
This article explains how to use Amazon VPC Block Public Access (BPA) to implement secure DMZ architectures in AWS environments across multiple accounts.
- VPC BPA provides declarative control to block internet traffic to/from VPCs at scale
- Bidirectional block mode prevents all internet access; ingress-only blocks inbound traffic only
- Centralized egress architecture routes all outbound traffic through single inspection point
- Centralized ingress architecture provides controlled entry point via ALB/NLB
- Use Transit Gateway to route traffic between spoke VPCs and centralized egress/ingress VPCs
- Enforce VPC BPA across multiple accounts using AWS Organizations declarative policies
- VPC BPA offers granular control compared to Service Control Policies (SCPs)
- Monitor blocked traffic using VPC Flow Logs with reject-reason field
- Apply least privilege principle; regularly review and audit exclusions
VPC BPA enables organizations to build scalable, secure multi-account network architectures with centralized traffic inspection and proactive internet access controls.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Nov 19
2024
2024
Enhancing VPC Security with Amazon VPC Block Public Access
Jun 10
2026
2026
Best practices for securing your IPv6 infrastructure on AWS using VPC Block Public Access
Mar 25
2026
2026
Deploy VPC Block Public Access across AWS Organizations
Nov 19
2024
2024
AWS announces Block Public Access for Amazon Virtual Private Cloud
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.