Centralized Network Inspection in AWS

| | |

As the number of AWS Accounts/VPC networks grows within an organization, network and security operations teams are often left wondering…

  • How are we going to enable standardized network connectivity to all these VPCs and on-premises environments at scale?
  • How can we manage and enforce firewall security policy best practices when the app teams just created another half dozen VPCs?
  • How do we accomplish all this while not slowing down the business and cloud adoption rate?

AWS Transit Gateway in conjunction with an Inspection VPC can enable network visibility, logging, and enforce firewall security policies for all network traffic no matter if it’s VPC-to-VPC, VPC-to-On-Premises, On-Premises-to-VPC, VPC-to-Internet, or Internet-to-VPC.

AWS Transit Gateway simplifies your network architecture and puts an end to complex peering relationships. As the number of AWS accounts grows, so equally does the number of VPC networks to manage. This taxes network and security teams to quickly establish standardized network access for VPCs while maintaining a safe and secure network. Transit Gateway in conjunction with the inspection VPC, allows for a one-time connection to establish network connectivity while ensuring that all VPC network traffic is subject to a standardized set of network security policies.

An Inspection VPC can monitor, log, and enforce network security policies for inter-VPC and VPC to on-premises network traffic. All VPC traffic is routed through a Transit Gateway to a centralized VPC, known as an Inspection VPC. The Inspection VPC is used to host network security tooling for inspection and enforcement of firewall security rules. Such security tools can be native AWS Network Firewall or 3rd party firewall appliances, such as Palo Alto or Cisco cloud firewall. Through the use of Transit Gateway routing rules, VPC network traffic is first routed to the Inspection VPC. This is where the traffic is monitored, logged, and ultimately decided if the connection should be allowed or blocked. Assuming the action is allowed, network traffic continues on as normal.

Foghorn Blog - Centralized Network Inspection in AWS

Since the release of AWS Network Firewall, you can now leverage a managed, scalable, stateful firewall service to secure and protect VPCs, without the overhead of deploying and administering any infrastructure. AWS Network Firewall includes features that provide protection from common network threats, making it an ideal candidate for the Inspection VPC. Some features include;

  • Network port and protocol filtering
  • Intrusion prevention system (IPS)
  • URL web filtering

If you’d prefer to use a different firewall vendor, AWS Firewall Manager can now deploy and monitor third-party cloud firewalls distributed from the AWS Marketplace. Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts in AWS. In addition to firewall rules, Firewall Manager can manage WAF rules as well as configure and audit VPC security groups.

Network routing rules and security policies are no longer one-offs, on a per-VPC basis. Network connectivity is established through a one-time Transit Gateway connection. Network security tools and policies are centrally managed in the Inspection VPC via Firewall Manager. All VPC network traffic is routed through the Inspection VPC and subject to a standard set of network security policies. This allows cloud operations teams to quickly deploy new AWS Accounts/VPC networks all while maintaining standardized network access that is safe and secure for the organization. This, in turn, enables app teams to move at the speed the Cloud offers without becoming an operations bottleneck.