- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: AWS - Finally Allow You to Inspect Traffic Bet...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AWS - Finally Allow You to Inspect Traffic Between Subnets In a VPC
Until today, AWS didn't allow to add to a routing table a more specific route than the default VPC local route.
For example, when the VPC range is 10.0.0/16
and a subnet has 10.0.1.0/24
, a route to 10.0.1.0/24
is more specific than a route to 10.0.0/16
.
Routing tables no longer have this restriction. Routes in a routing table can have routes more specific than the default local route. You can use such a more specific route to send all traffic to a dedicated virtual appliance to inspect, analyze, or filter all traffic flowing between two subnets (east-west traffic). The route target can be the network interface (ENI) attached to a CloudGuard Gateway, an AWS Gateway Load Balancer (GWLB) endpoint to distribute traffic to multiple appliances for performance or high availability reasons.
It also allows inserting a virtual appliance between a subnet and an AWS Transit Gateway.
Check out the bellow simple use case
Traffic that is being sent between Subnet QA and Subnet Prod is now inspected by the CloudGuard Gateway.
This is the most basic use case, you can leverage it and use it in more complex use case where you have multiple VPC, TGW, and Gateway LoadBalnacer.
Feel free to comment and ask any question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That’s actually great news!
I remember when we were first working with gateways in AWS and had to work around this limitation.
This should make for much simpler deployments.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Phoneboy,
It does help making deployments easier and cost effective, but it certainly seems the "worst" practice from the perspective of the Cloud Native Well-Architected Framework and our own Check Point Secure Blueprint.
Not sure why AWS would offer this other than getting rid of the many complaints about their inability to create static routes within the VPC CIDR.
Azure still offers IP forwarding on Peering and HA port Load Balancers, so I am curious when AWS will decide to "even" the score on that one as well, while offering TGW and GWLB on top.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Levin,
Thanks for sharing this. I have one question, may be this is off topic.
Cloudguard provides micro segmentation protection independently? or it requires other stuff like NSX to achieve this requirement
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Gaurav_Pandya, the author's name is Shay, Levin is a surname.
Please do post the same comments from different accounts. I have removed your double-posting comments, to avoid confusion.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh ok.
Actually I logged in to usercenter with that account so it took automatically. After posting comment, it was not displaying so finally I replied again with my account.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you don't know the answer then?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Daniel_Westlund Here is no need to get personal. My comment was about proper use of this forum. It is my duty as an admin to care about those things.
Dameon a.k.a. @PhoneBoy has already answered the original @Gaurav_Pandya's question. Let me know if I can help you with anything else.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The underlying virtualization system has to provide a mechanism to allow for microsegmentation.
Without that, there isn't a lot we can do on our own.
VMware NSX obviously has this, and we integrate with that.