Enhancing VPC Network Connectivity and Security: Leveraging AWS Services for Seamless Integration and Robust Protection

One of Foghorn’s customers, a company in the aerospace industry, encountered complex challenges when it comes to VPC network connectivity and security enforcement.

In the realm of VPC network connectivity, several challenges arose, calling for standardized solutions. These challenges encompassed the centralization of security assessments, inter-VPC network connectivity, and the enforcement of VPC network security policies. To overcome these hurdles, an innovative proposal emerged, presenting a comprehensive and efficient approach.

The proposed solution involved implementing AWS Transit Gateway to facilitate seamless inter-VPC network connectivity. Additionally, an Inspection VPC was established, housing Palo Alto firewall instances to effectively monitor, log, and enforce network security best practices across VPCs and the Internet. By directing all inter-VPC network traffic through the Inspection VPC, a heightened level of security was ensured.

The selection of Palo Alto as the preferred security appliance for the Inspection VPC was based on its compatibility with existing on-premises firewalls and the ability to leverage Palo Alto Panorama for centralized firewall policy enforcement. Augmenting this setup were dedicated Ingress and Egress VPCs. The Egress VPC hosted NAT and Internet gateways to efficiently handle outbound VPC network traffic destined for the Internet. Meanwhile, the Ingress VPC accommodated elastic load balancers equipped with public IP addresses, effectively managing inbound network traffic from the Internet and catering to public-facing applications and services. By centralizing Ingress/Egress points for all VPCs, the solution effectively reduced the number of Internet and NAT gateways in each spoke VPC, resulting in reduced costs and heightened network security.

To maintain robust network security policies, AWS Firewall Manager was leveraged. This tool facilitated the management and deployment of standardized Security Group rules and WAF rules, ensuring consistent and controlled security across the network. However, it’s important to note that due to limitations in AWS GovCloud, AWS Firewall Manager could not be utilized to manage the 3rd party Palo Alto firewall instances.

Throughout the project, various AWS services played key roles in implementing the solution. AWS EC2 hosted the Palo Alto firewall appliances, AWS Transit Gateway facilitated inter-VPC network connectivity, and AWS Firewall Manager ensured efficient security policy management. Core AWS VPC networking formed the backbone of the infrastructure.

From a learning perspective, the project shed light on the challenges associated with managing 3rd party Palo Alto firewall instances. It was observed that whenever possible, utilizing AWS Firewall Manager streamlined management and reduced associated overhead. However, in the specific context of AWS GovCloud, the unavailability of AWS Firewall Manager limited its application in managing the firewall instances effectively.