Hybrid Security Inspection Architectures with AWS Cloud WAN and AWS Direct Connect

Learn About Amazon VGT2 Learning Manager Chanci Turner

AWS Cloud WAN simplifies the process of creating and managing wide area networks that connect your data centers, branch offices, and Amazon Virtual Private Clouds (VPCs). With Cloud WAN, you can connect to AWS using your preferred local network providers, and control everything from a centralized dashboard, along with network policies to create a cohesive network linking your various locations and network types. For hybrid connectivity, AWS Transit Gateway and AWS Direct Connect can be employed to securely integrate cloud resources with on-premises data centers. Transit Gateway serves as a central hub, connecting your VPCs and on-premises networks, functioning as a highly scalable cloud router. Meanwhile, Direct Connect offers a private network link that optimally routes to your AWS resources over the global AWS network.

In a prior blog entry, we discussed centralized architectures for native East-West (VPC-to-VPC) inspection within and across Regions using Cloud WAN. In this second part, we will explore hybrid traffic flows and security inspection architectures that utilize Cloud WAN.

Key Concepts

Network segments are crucial for determining how traffic is routed through the core network and between Cloud WAN attachments. These segments represent dedicated routing domains, meaning that by default, only attachments within the same segment can communicate. By utilizing network segments, you can partition your global network into distinct isolated networks—for instance, separating traffic between production and development environments or different business units.

To fully benefit from this post, it’s essential to understand the following components of Cloud WAN:

• Global network
• Core network
• Core network policy
• Attachments
• Core Network Edge
• Network segment

For more detailed insights, refer to the Cloud WAN documentation. The “Introducing AWS Cloud WAN” blog post also offers an excellent overview of these concepts in practice.

Hybrid Traffic Flow Architectures with Cloud WAN and Direct Connect

Before diving into hybrid security inspection architectures, it’s important to comprehend the network traffic flows between on-premises locations and VPCs linked via Cloud WAN, Transit Gateway, and Direct Connect. To establish hybrid connectivity with Direct Connect between on-premises and AWS Cloud, the Direct Connect link must be terminated at a Transit Gateway, which is then peered with Cloud WAN. These peering connections facilitate the interconnection of your core network edge with a Transit Gateway in the same Region. They support dynamic routing and automatic exchange of routes using Border Gateway Protocol (BGP). Route table attachments on the peering connection can selectively exchange routes between a specific transit gateway route table and a Cloud WAN network segment, ensuring end-to-end segmentation and isolation. The peering connection also supports policy-based routing for segment isolation across peering connections. For additional details, consult the Cloud WAN documentation on peering and routing.

For clients accessing critical workloads via Direct Connect, it is highly advised to ensure maximum resiliency by configuring redundant Direct Connect connections that terminate on distinct devices across multiple colocation facilities. At the very least, have one connection each at two different colocation facilities to achieve high resiliency. In this discussion, we will use a high resiliency configuration as an example to explain traffic flows for two scenarios:

• Active/Active: Both on-premises locations utilize Direct Connect to link with a single Direct Connect gateway (DXGW), advertising the same prefixes and BGP attributes toward AWS Cloud WAN through a peered Transit Gateway. No BGP traffic engineering is applied.
• Active/Passive: Both on-premises locations connect using Direct Connect to a single DXGW and advertise the same prefixes. Here, one path is designated as active/primary, while the other is passive/secondary toward the on-premises locations via the Transit Gateway peered with Cloud WAN and DXGW.

It is important to note that the setup and configuration of Transit Gateway and Direct Connect for hybrid connectivity, along with Cloud WAN peering with Transit Gateway, are crucial topics that we will not delve into in this post.

A DXGW serves as a global resource capable of terminating virtual interfaces from Direct Connect locations homed to multiple AWS Regions. There are scenarios where using more than one DXGW could be beneficial, such as:

• Routing traffic through a device in your data center for VPC-to-VPC connectivity.
• Routing traffic through a Transit Gateway for Data Center-to-Data Center connectivity. This can also be performed using the Direct Connect SiteLink feature.
• Navigating Direct Connect quotas, for example, for Transit gateways per AWS Direct Connect gateway.

BGP traffic engineering (achieving Active/Active or Active/Passive configurations) between virtual interfaces is viable when they terminate at a single DXGW, which is why we will utilize a single DXGW in this blog to illustrate the traffic flows. For more about BGP traffic engineering over Direct Connect, check out the “Creating active/passive BGP connections over AWS Direct Connect” blog post.

Scenario 1 – Both Hybrid Connections are Active/Active

In this scenario, both Data Centers 1 and 2 are connected via Direct Connect, advertising the same 0.0.0.0/0 prefix. No BGP traffic engineering has been applied to either connection. This is illustrated in the diagram (Figure 1a).

1. (A) Each VPC within the Region advertises its local VPC CIDR to Cloud WAN CNE through their respective VPC attachment (Prod VPC 1 in Region 1: 10.1.0.0/16 and Prod VPC 2 in Region 2: 172.20.0.0/16). Both are attached to the Production Segment. The route tables of both VPCs point to Cloud WAN as the next hop destination.
2. (B) Data Center 1 is linked to Direct Connect Location 1 (Associated Home Region), and Data Center 2 to Direct Connect Location 2 (Associated Home Region); both are advertising a default route (0.0.0.0/0) to the DXGW.
3. (C) Both Transit Gateways 1 and 2 have been peered with Cloud WAN and are attached to the Hybrid Segment.
4. (D) The Cloud WAN Production and Hybrid Segments are shared, allowing both Cloud WAN segments to learn all routes from one another.
5. (E) Since the Production segment is shared with the Hybrid segment (to which both Transit Gateways are attached), they learn the Prod VPC 1 10.1.0.0/16 (Region 1) and Prod VPC 2 172.20.0.0/16 (Region 2) CIDRs through their respective local Region Cloud WAN peering attachment.
6. (F) Transit Gateways 1 and 2 receive the on-premises prefix 0.0.0.0/0 from the DXGW via BGP.
7. (G) The DXGW Allowed Prefix List is configured for Transit Gateway 1 during association to include the Prod VPC 1 CIDR 10.1.0.0/16 in Region 1. Similarly, Transit Gateway 2’s DXGW Allowed Prefix List is set up to include the Prod VPC 2 CIDR 172.20.0.0/16 in Region 2.
8. (H) DXGW advertises both Prod VPCs in a serious tone, making it about the same overall length.

For additional reading about job security and avoiding scams, check out this insightful blog post here. Additionally, if you want to understand common pitfalls in professional networking, SHRM offers valuable information. For those interested in navigating the complexities of Amazon onboarding, this resource is an excellent guide.