Learn About Amazon VGT2 Learning Manager Chanci Turner
As government organizations migrate to Amazon Web Services (AWS), they frequently aim to ensure operational continuity by retaining their existing on-premises firewall solutions. The Gateway Load Balancer (GWLB) allows for the smooth incorporation of these firewall appliances into the AWS ecosystem, guaranteeing consistent security protocols while minimizing disruptions.
In networking terminology, traffic is generally divided into two categories: “north-south” and “east-west.” North-south traffic involves data transferring between the cloud and external networks, such as user requests from the internet or outbound data to third-party services. Conversely, east-west traffic refers to communications within the cloud environment, encompassing interactions between applications or services across various subnets or VPCs. This category also includes communications between the AWS Cloud and on-premises data centers linked via AWS Direct Connect or other private connectivity solutions.
This article will delve into best practices for utilizing GWLB to enable centralized traffic inspection for both east-west and north-south traffic flows. We will outline key considerations for designing an inspection architecture with Gateway Load Balancer, providing guidance to government organizations aiming for a secure cloud transition while adhering to compliance and security standards.
Traffic Inspection with Gateway Load Balancer
In traditional on-premises setups, firewalls are typically positioned at the network perimeter to monitor north-south traffic and internally to protect sensitive infrastructure and enforce detailed security policies. Similarly, within the AWS Cloud, organizations require additional security measures for east-west traffic traversing between Amazon Virtual Private Cloud (VPC) environments to ensure uniform security controls.
GWLB supports the inspection of both east-west and north-south traffic by utilizing GWLB endpoints powered by AWS PrivateLink. This enables IT departments to offer a centralized inspection service for other business units, thereby enforcing the desired security posture. Importantly, GWLB functions as a bump-in-the-wire solution, transparently intercepting and forwarding traffic without acting as a proxy. This design maintains the original source and destination IP addresses, preserving network transparency and compatibility with existing security appliances.
East-West Traffic Inspection
IT departments can deploy firewall appliances within an inspection VPC using GWLB endpoints to direct traffic to these appliances for inspection. Customers have the option to route their inter-VPC traffic through AWS Transit Gateway or AWS Cloud WAN to the inspection VPC. This guarantees that all inter-VPC communication between resources, such as Amazon Elastic Compute Cloud (EC2) instances, is inspected and monitored, thus enhancing the overall security posture of the environment. This blog will emphasize Transit Gateway architecture; for further information on AWS Cloud WAN, see the “Simplify global security inspection with AWS Cloud WAN Service Insertion” blog post.
North-South Traffic Inspection
By configuring GWLB endpoints as the entry and exit points for internet traffic, government clients can channel all incoming and outgoing traffic through their firewall appliances for inspection. This model mirrors traditional on-premises deployment strategies, where firewalls are positioned at the network perimeter to scrutinize and regulate external traffic.
The capability to utilize GWLB for east-west and north-south traffic inspection provides government customers with a robust framework to implement their desired security architecture within the AWS cloud. By integrating their existing firewall solutions, organizations can maintain operational continuity, utilize familiar management interfaces, and enforce consistent security policies across their entire infrastructure.
Architectural Guidance for Gateway Load Balancer
When designing a thorough inspection architecture using GWLB and your firewall appliances, the Centralized Inspection VPC architecture is recognized as a best practice and reference model. This strategy effectively addresses both east-west and egress traffic inspection needs, offering flexibility and efficiency in a multi-VPC environment.
In the Centralized Inspection VPC architecture, a dedicated inspection VPC is established to host your firewall appliances. All traffic requiring inspection from your application or spoke VPCs is routed through AWS Transit Gateway to these centralized firewall appliances using GWLB endpoints within the Egress VPC. This encompasses both east-west traffic between VPCs and egress traffic directed towards the internet.
To manage the firewall appliances effectively, the inspection VPC can connect to the Transit Gateway. This allows secure management traffic, enabling administrators to access and control the firewalls from designated management VPCs or on-premises networks via Direct Connect or VPN connections. For internet-bound traffic, once inspected by the firewall appliances, the traffic exits through an internet gateway connected to the Egress VPC. Customers can choose between using AWS NAT (Network Address Translation) Gateway (one-arm firewall deployment) or their own firewall appliances for NAT capabilities (two-arm firewall deployment), based on their specific needs and preferences.
In a one-arm firewall deployment, there’s a single interface within a private subnet that only receives traffic for inspection. In contrast, a two-arm firewall deployment employs two interfaces: one in a private subnet for inspection and another in a public subnet, allowing the firewall to perform NAT—if supported—for internet egress. Customers should note that the two-arm approach is only viable when the firewall vendor supports this architecture. For those preferring to use their firewalls for NAT capabilities, a two-arm architecture can be established, allowing traffic to exit directly from the inspection VPC.
For further insights into one-arm versus two-arm firewall deployments, refer to the “Best practices for deploying Gateway Load Balancer” blog post.
Distributed vs. Centralized Internet Ingress Design
When designing the internet ingress architecture for your AWS environment, there are two primary approaches to consider: distributed ingress and centralized ingress. Each method has its own set of tradeoffs, and the choice ultimately depends on the specific requirements of your organization. If you find yourself contemplating the next steps after a job application, this post can offer useful insights; you can also explore more at Career Contessa.
Furthermore, it’s essential to understand that the decision regarding which job functions are essential can impact your compliance with ADA standards. For authoritative guidance on this topic, check out SHRM. Lastly, for those looking to advance their careers, Amazon’s leadership development training is an excellent resource.
Leave a Reply