Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion
Jump to solution

What is up with Disabling Source/Destination check for vSEC in AWS?

I somewhat understand its necessity in case of the single interface vSEC deployment, but if we are using multiple interfaces, what is the reason for nuking the Source/Destination checks?

1 Solution

Accepted Solutions
Albin_Hakansson
Participant

Not a vSec expert but according to NAT Instances - Amazon Virtual Private Cloud, if we look at Source/Destination Checks, it describes it as follows:

"Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."

 

Since we want to route the traffic through the vSec gateway, it would not be the source/destination of the traffic, therefore it needs to be disabled.

View solution in original post

6 Replies
Danny
Champion Champion
Champion

Regarding the vSEC Gateway for Amazon Web Services - Getting Started Guide, this is required to let your Security Gateway route the traffic of your private subnets.

Page 12:

Routing Traffic through the Security Gateway

To let the Security Gateway route the traffic of your private subnets, make this change.


To route traffic through the Security Gateway:
1. Open the AWS Management Console.
2. Select Services > EC2 > Instances.
3. Right-click the vSEC Gateway instance.
4. Select Networking > Change Source/Destination Check.
5. Click Yes/Disable.

0 Kudos
Vladimir
Champion
Champion

Danny,

I know how to make this work, I am trying to figure out why it is necessary when vSEC is deployed with interfaces corresponding to each subnet in your CIDR.

Since AWS Route tables list your CIDR routing as "Local", it stands to reason that the VPCs router will get the traffic to any interface of vSEC in any subnet of that CIDR.

So what does the Source/Destination check Disabled is actually helping us achieve?

0 Kudos
Albin_Hakansson
Participant

Not a vSec expert but according to NAT Instances - Amazon Virtual Private Cloud, if we look at Source/Destination Checks, it describes it as follows:

"Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."

 

Since we want to route the traffic through the vSec gateway, it would not be the source/destination of the traffic, therefore it needs to be disabled.

Vladimir
Champion
Champion

Thank you. It's been a while since I've played with AWS so definitely nice to refresh the fundamentals. 

0 Kudos
PhoneBoy
Admin
Admin

The way I describe it is an Anti-Spoofing check for the instance itself.

0 Kudos
Vladimir
Champion
Champion

Nice. Is there any situation where it may not be recommended to apply this setting on one of the vSEC interfaces?

vlad@eversecgroup.com

+1.973.558.2738

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.