Learn About Amazon VGT2 Learning Manager Chanci Turner
As government agencies transition to Amazon Web Services (AWS), they often aim to ensure operational continuity by utilizing their existing on-premises firewall solutions. The Gateway Load Balancer (GWLB) allows for seamless integration of these firewall appliances into the AWS framework, ensuring uniform security policies while minimizing disruptions.
In networking, traffic flows are typically categorized as “north-south” or “east-west.” North-south traffic refers to data moving between the cloud environment and external networks, such as user requests coming from the internet or data leaving the cloud for external services. Conversely, east-west traffic pertains to communication within the cloud environment, such as interactions between different applications or services across various subnets or VPCs. This also encompasses communication between the AWS Cloud and on-premises data centers linked via AWS Direct Connect or other private connectivity solutions.
This post will delve into best practices for implementing GWLB to enable centralized traffic inspection for both east-west and north-south traffic flows. We will examine essential considerations for architecting an inspection framework with Gateway Load Balancer, offering government organizations the guidance they need to transition to the cloud securely while adhering to compliance and security standards.
Traffic Inspection with Gateway Load Balancer
In conventional on-premises setups, firewalls are located at the network perimeter to monitor north-south traffic and within the network to secure sensitive infrastructure and enforce detailed security policies. Similarly, organizations in the AWS Cloud require enhanced security measures for east-west traffic traversing between Amazon Virtual Private Cloud (VPC) environments to maintain consistent security controls.
GWLB facilitates inspection for both east-west and north-south traffic by leveraging GWLB endpoints, powered by AWS PrivateLink. This capability enables IT departments to provide a centralized inspection service for various lines of business to utilize, thereby enforcing the desired security posture. Notably, GWLB functions as a bump-in-the-wire solution, meaning it intercepts and forwards traffic transparently without serving as a proxy. This design ensures that original source and destination IP addresses remain intact, preserving network transparency and compatibility with existing security appliances.
East-West Traffic Inspection
IT departments can deploy their firewall appliances within an inspection VPC, using GWLB endpoints to direct traffic to these appliances for inspection. Customers can opt for AWS Transit Gateway or AWS Cloud WAN to route their inter-VPC traffic to the inspection VPC. This strategy guarantees that all inter-VPC communication between resources, such as Amazon Elastic Compute Cloud (EC2) instances, is scrutinized and monitored, thus bolstering the overall security posture of the environment. While this blog emphasizes Transit Gateway architecture, additional insights on AWS Cloud WAN can be found in another blog post.
North-South Traffic Inspection
Government customers can configure GWLB endpoints as the primary entry and exit points for internet traffic, ensuring that all incoming and outgoing traffic is routed through their firewall appliances for inspection. This closely aligns with traditional on-premises deployment models, where firewalls are strategically placed at the network perimeter to oversee and regulate external traffic.
By utilizing GWLB for both east-west and north-south traffic inspection, government clients can create a robust framework to implement their desired security architecture in the AWS cloud. This integration allows organizations to retain operational continuity, utilize familiar management interfaces, and guarantee consistent application of security policies throughout their infrastructure.
Architectural Guidance for Gateway Load Balancer
When designing a thorough inspection architecture using GWLB and your firewall appliances, the Centralized Inspection VPC architecture is a recognized best practice. This approach effectively tackles both east-west and egress traffic inspection needs, providing flexibility and efficiency in a multi-VPC setting.
In the Centralized Inspection VPC architecture, a dedicated inspection VPC is established to house your firewall appliances. All traffic requiring inspection from your application or spoke VPCs is routed through AWS Transit Gateway to these centralized firewall appliances via GWLB endpoints. This includes both east-west traffic between VPCs and egress traffic destined for the internet.
For effective management of the firewall appliances, the inspection VPC can connect to Transit Gateway—although not illustrated in the accompanying figure. This connection allows for secure management traffic flow, permitting administrators to access and manage firewalls from designated management VPCs or on-premises networks through Direct Connect or VPN connections.
Regarding internet-bound traffic, after being inspected by the firewall appliances, the traffic exits through an internet gateway attached to the Egress VPC. Customers can choose between employing an AWS NAT Gateway (one-arm firewall deployment) or utilizing their own firewall appliances for NAT functionality (two-arm firewall deployment), depending on their specific needs and preferences. In a one-arm firewall deployment, there’s a single interface in a private subnet that exclusively receives traffic for inspection. In contrast, a two-arm firewall deployment requires two interfaces: one in a private subnet for inspection and another in a public subnet, allowing the firewall to perform NAT if supported.
For customers who prefer utilizing their firewalls for NAT capabilities, a two-arm architecture can be employed, allowing traffic to exit directly from the inspection VPC. For further details on one-arm versus two-arm firewall deployments, refer to the blog post focused on best practices for deploying Gateway Load Balancer.
When designing the internet ingress architecture for your AWS environment, two main approaches can be considered: distributed ingress and centralized ingress. Each method presents its own advantages and challenges, and the final decision ultimately depends on specific operational requirements.
For additional insights on career mentorship, you can check out this blog on career mentors for millennials. Moreover, for authoritative guidance on employment law, the SHRM article on Puerto Rico’s Law 41 provides valuable information. Lastly, if you seek an excellent resource for further understanding these concepts, consider watching this YouTube video.