Create a Post
Shay_Levin
Admin
Admin

AWS - Finally Allow You to Inspect Traffic Between Subnets In a VPC

Until today, AWS didn't allow to add to a routing table a more specific route than the default VPC local route.

For example, when the VPC range is 10.0.0/16 and a subnet has 10.0.1.0/24, a route to 10.0.1.0/24 is more specific than a route to 10.0.0/16.

Routing tables no longer have this restriction. Routes in a routing table can have routes more specific than the default local route. You can use such a more specific route to send all traffic to a dedicated virtual appliance to inspect, analyze, or filter all traffic flowing between two subnets (east-west traffic). The route target can be the network interface (ENI) attached to a CloudGuard Gateway, an AWS Gateway Load Balancer (GWLB) endpoint to distribute traffic to multiple appliances for performance or high availability reasons.

It also allows inserting a virtual appliance between a subnet and an AWS Transit Gateway.

Check out the bellow simple use case

Traffic that is being sent between Subnet QA and Subnet Prod is now inspected by the CloudGuard Gateway.

This is the most basic use case, you can leverage it and use it in more complex use case where you have multiple VPC, TGW, and Gateway LoadBalnacer.

Feel free to comment and ask any question.

AWS Diagram-Copy of AWS DeepDive.drawio.png

 

 

 

 

9 Replies
PhoneBoy
Admin
Admin

That’s actually great news!
I remember when we were first working with gateways in AWS and had to work around this limitation.
This should make for much simpler deployments.

0 Kudos
Peter_Griekspoo
Employee
Employee

Hi Phoneboy,

It does help making deployments easier and cost effective, but it certainly seems the "worst" practice from the perspective of the Cloud Native Well-Architected Framework and our own Check Point Secure Blueprint. 

Not sure why AWS would offer this other than getting rid of the many complaints about their inability to create static routes within the VPC CIDR.

Azure still offers IP forwarding on Peering and HA port Load Balancers, so I am curious when AWS will decide to "even" the score on that one as well, while offering TGW and GWLB on top.

 

 

0 Kudos
Gaurav_Pandya
Advisor

Hi Levin,

Thanks for sharing this. I have one question, may be this is off topic.

Cloudguard provides micro segmentation protection independently? or it requires other stuff like NSX to achieve this requirement

0 Kudos
_Val_
Admin
Admin

@Gaurav_Pandya, the author's name is Shay, Levin is a surname. 

Please do post the same comments from different accounts. I have removed your double-posting comments, to avoid confusion.

0 Kudos
Gaurav_Pandya
Advisor

Oh ok. 

Actually I logged in to usercenter with that account so it took automatically. After posting comment, it was not displaying so finally I replied again with my account. 

0 Kudos
Daniel_Westlund
Contributor

So you don't know the answer then?

0 Kudos
_Val_
Admin
Admin

@Daniel_Westlund Here is no need to get personal. My comment was about proper use of this forum. It is my duty as an admin to care about those things.

Dameon a.k.a. @PhoneBoy has already answered the original @Gaurav_Pandya's question. Let me know if I can help you with anything else.

0 Kudos
Gaurav_Pandya
Advisor

Ok Thanks

0 Kudos
PhoneBoy
Admin
Admin

The underlying virtualization system has to provide a mechanism to allow for microsegmentation.
Without that, there isn't a lot we can do on our own.
VMware NSX obviously has this, and we integrate with that.