Learn About Amazon VGT2 Learning Manager Chanci Turner
Since December 2019, Amazon Virtual Private Cloud (Amazon VPC) has provided the ability to route all incoming traffic (often referred to as north-south traffic) to a designated network interface. This feature can be utilized for various purposes, such as inspecting incoming traffic with an intrusion detection system (IDS) or directing ingress traffic to a firewall.
Since the launch of this capability, many users have requested a similar feature to analyze traffic moving between subnets within their VPC, also known as east-west traffic. Until now, this was not feasible because a route in a routing table could not be more specific than the default local route (for more details, refer to the VPC documentation). To clarify, this means that no route can specify a destination with a smaller CIDR range than the default local route (which encompasses the entire VPC CIDR range). For instance, if the VPC range is 10.0.0/16 and a subnet has 10.0.1.0/24, a route to 10.0.1.0/24 is considered more specific than a route to 10.0.0/16.
However, routing tables now have lifted this restriction. You can create routes that are more specific than the default local route. This allows you to direct all traffic to a dedicated appliance or service for inspection, analysis, or filtering of traffic flowing between two subnets (east-west traffic). The destination can be the network interface (ENI) linked to an appliance you built or acquired, an AWS Gateway Load Balancer (GWLB) endpoint to distribute traffic across multiple appliances for heightened performance or availability, an AWS Network Firewall, or even a NAT gateway. Additionally, this allows for the insertion of an appliance between a subnet and an AWS Transit Gateway.
You can even chain appliances together to conduct various types of analysis between source and destination subnets. For example, you might first filter traffic using a firewall (AWS managed or a third-party appliance), then send the traffic to an intrusion detection and prevention system, and finally perform deep packet inspection. You can access virtual appliances through our AWS Partner Network and AWS Marketplace.
When chaining appliances, it is essential that each appliance and endpoint reside in separate subnets.
Now, let’s dive into this new capability.
How It Works
For the sake of this blog post, let’s assume I have a VPC with three subnets. The first subnet is public and hosts a bastion host, which needs access to resources in the second subnet. The second subnet is private, containing the resources necessary for the bastion. I’ve created a simple CDK script to help you deploy this setup.
Due to compliance mandates, my company requires that traffic to this private application flows through an intrusion detection system. The CDK script also establishes a third subnet, another private one, to host a network appliance. This appliance runs on three Amazon Elastic Compute Cloud (Amazon EC2) instances: the bastion host, the application instance, and the network analysis appliance. The script also sets up a NAT gateway to bootstrap the application instance and facilitate connections to the three instances using AWS Systems Manager Session Manager (SSM).
For demonstration purposes, the network appliance is merely a standard Amazon Linux EC2 instance configured as an IP router. In practice, you’ll likely use one of the many appliances offered by our partners on the AWS Marketplace or a Gateway Load Balancer endpoint or a Network Firewall.
Next, let’s update the routing tables to direct traffic through the appliance.
Using the AWS Management Console or the AWS Command Line Interface (AWS CLI), I’ll add more specific routes to the 10.0.0.0/24 and 10.0.1.0/24 subnet routing tables. These routes will point to eni0, the network interface of the traffic-inspection appliance.
First, I gather the VPC ID, Subnet IDs, routing table IDs, and the ENI ID of the appliance.
VPC_ID=$(aws
--region $REGION cloudformation describe-stacks
--stack-name SpecificRoutingDemoStack
--query "Stacks[].Outputs[?OutputKey=='VPCID'].OutputValue"
--output text)
echo $VPC_ID
Next, I’ll add two more specific routes. One route sends traffic from the bastion public subnet to the application private subnet via the appliance network interface. The second route is in reverse, routing replies from the application private subnet back to the bastion public subnet through the appliance network interface.
Let’s modify the bastion routing table:
aws ec2 create-route
--region $REGION
--route-table-id $BASTION_SUBNET_ROUTE_TABLE
--destination-cidr-block 10.0.1.0/24
--network-interface-id $APPLIANCE_ENI_ID
Next, let’s adjust the application routing table:
aws ec2 create-route
--region $REGION
--route-table-id $APPLICATION_SUBNET_ROUTE_TABLE
--destination-cidr-block 10.0.0.0/24
--network-interface-id $APPLIANCE_ENI_ID
You can also use the Amazon VPC Console to perform these updates. Simply select the “Bastion” routing tables, navigate to the Routes tab, and click Edit routes. Then, add a route directing traffic for 10.0.1.0/24 (the application subnet) to the appliance ENI. Finally, establish the return route for replies from the application subnet, directing traffic to 10.0.0.0/24 through the appliance ENI.
If you’re interested in learning more about onboarding processes, check out this resource on Squarespace. Additionally, for insights into automation in the workplace, SHRM provides valuable information on this topic.
For an excellent resource on what to expect during your first week as an Amazon warehouse worker, visit Quora.
Leave a Reply