https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130557#M1464 <P>Oh ok.&nbsp;</P> <P>Actually I logged in to usercenter with that account so it took automatically. After posting comment, it was not displaying so finally I replied again with my account.&nbsp;</P> Wed, 29 Sep 2021 12:22:07 GMT Gaurav_Pandya 2021-09-29T12:22:07Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/129267#M1458 <P><FONT size="4"><SPAN>Until today, AWS didn't allow to add to a routing table a more specific route than the default VPC local route.</SPAN></FONT></P> <P><FONT size="4"><SPAN>For example, when the VPC range is&nbsp;</SPAN><CODE>10.0.0/16</CODE><SPAN>&nbsp;and a subnet has&nbsp;</SPAN><CODE>10.0.1.0/24</CODE><SPAN>, a route to&nbsp;</SPAN><CODE>10.0.1.0/24</CODE><SPAN>&nbsp;is more specific than a route to&nbsp;</SPAN><CODE>10.0.0/16</CODE><SPAN>.</SPAN></FONT></P> <P><FONT size="4">Routing tables no longer have this restriction. Routes in a routing table can have routes more specific than the default local route. You can use such a more specific route to send all traffic to a dedicated virtual appliance to inspect, analyze, or filter all traffic flowing between two subnets (east-west traffic). The route target can be the network interface (ENI) attached to a CloudGuard Gateway, an<SPAN>&nbsp;</SPAN><A href="https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/" target="_blank" rel="noopener">AWS Gateway Load Balancer</A><SPAN>&nbsp;</SPAN>(GWLB) endpoint to distribute traffic to multiple appliances for performance or high availability reasons. </FONT></P> <P><FONT size="4">It also allows inserting a virtual appliance between a subnet and an<SPAN>&nbsp;</SPAN><A href="https://aws.amazon.com/transit-gateway/" target="_blank" rel="noopener">AWS Transit Gateway</A>.</FONT></P> <P><FONT size="4">Check out the bellow simple use case</FONT></P> <P><FONT size="4">Traffic that is being sent between Subnet QA and Subnet Prod is now inspected by the CloudGuard Gateway.</FONT></P> <P><FONT size="4">This is the most basic use case, you can leverage it and use it in more complex use case where you have multiple VPC, TGW, and Gateway LoadBalnacer.</FONT></P> <P><FONT size="4">Feel free to comment and ask any question.</FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="AWS Diagram-Copy of AWS DeepDive.drawio.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13686iD490B44CC8D03EF3/image-size/large?v=v2&amp;px=999" role="button" title="AWS Diagram-Copy of AWS DeepDive.drawio.png" alt="AWS Diagram-Copy of AWS DeepDive.drawio.png" /></span></P> <P>&nbsp;</P> <P><FONT size="4">&nbsp;</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 13 Sep 2021 10:41:28 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/129267#M1458 Shay_Levin 2021-09-13T10:41:28Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/129324#M1459 <P>That’s actually great news!<BR />I remember when we were first working with gateways in AWS and had to work around this limitation.<BR />This should make for much simpler deployments.</P> Mon, 13 Sep 2021 19:17:28 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/129324#M1459 PhoneBoy 2021-09-13T19:17:28Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130528#M1460 <P>Hi Phoneboy,</P> <P>It does help making deployments easier and cost effective, but it certainly seems the "worst" practice from the perspective of the Cloud Native Well-Architected Framework and our own Check Point Secure Blueprint.&nbsp;</P> <P>Not sure why AWS would offer this other than getting rid of the many complaints about their inability to create static routes within the VPC CIDR.</P> <P>Azure still offers IP forwarding on Peering and HA port Load Balancers, so I am curious when AWS will decide to "even" the score on that one as well, while offering TGW and GWLB on top.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 29 Sep 2021 09:03:06 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130528#M1460 Peter_Griekspoo 2021-09-29T09:03:06Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130533#M1462 <P>Hi Levin,</P> <P>Thanks for sharing this. I have one question, may be this is off topic.</P> <P>Cloudguard provides micro segmentation protection independently? or it requires other stuff like NSX to achieve this requirement</P> Wed, 29 Sep 2021 09:31:09 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130533#M1462 Gaurav_Pandya 2021-09-29T09:31:09Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130538#M1463 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8251">@Gaurav_Pandya</a>, the author's name is Shay, Levin is a surname.&nbsp;<BR /><BR />Please do post the same comments from different accounts. I have removed your double-posting comments, to avoid confusion.</P> Thu, 30 Sep 2021 09:10:36 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130538#M1463 _Val_ 2021-09-30T09:10:36Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130557#M1464 <P>Oh ok.&nbsp;</P> <P>Actually I logged in to usercenter with that account so it took automatically. After posting comment, it was not displaying so finally I replied again with my account.&nbsp;</P> Wed, 29 Sep 2021 12:22:07 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130557#M1464 Gaurav_Pandya 2021-09-29T12:22:07Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130585#M1465 <P>So you don't know the answer then?</P> Wed, 29 Sep 2021 16:34:20 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130585#M1465 Daniel_Westlund 2021-09-29T16:34:20Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130599#M1466 <P>The underlying virtualization system has to provide a mechanism to allow for microsegmentation.<BR />Without that, there isn't a lot we can do on our own.<BR />VMware NSX obviously has this, and we integrate with that.</P> Wed, 29 Sep 2021 19:16:11 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130599#M1466 PhoneBoy 2021-09-29T19:16:11Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130632#M1467 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11671">@Daniel_Westlund</a>&nbsp;Here is no need to get personal. My comment was about proper use of this forum. It is my duty as an admin to care about those things.<BR /><BR />Dameon a.k.a.&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;has already answered the original&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8251">@Gaurav_Pandya</a>'s question. Let me know if I can help you with anything else.</P> Thu, 30 Sep 2021 09:12:35 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130632#M1467 _Val_ 2021-09-30T09:12:35Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130651#M1468 <P>Ok Thanks</P> Thu, 30 Sep 2021 09:31:05 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-Finally-Allow-You-to-Inspect-Traffic-Between-Subnets-In-a/m-p/130651#M1468 Gaurav_Pandya 2021-09-30T09:31:05Z