This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shay_Levin
Admin
Admin
‎2021-09-13 02:41 AM

AWS - Finally Allow You to Inspect Traffic Between Subnets In a VPC

Until today, AWS didn't allow to add to a routing table a more specific route than the default VPC local route.

For example, when the VPC range is 10.0.0/16 and a subnet has 10.0.1.0/24, a route to 10.0.1.0/24 is more specific than a route to 10.0.0/16.

Routing tables no longer have this restriction. Routes in a routing table can have routes more specific than the default local route. You can use such a more specific route to send all traffic to a dedicated virtual appliance to inspect, analyze, or filter all traffic flowing between two subnets (east-west traffic). The route target can be the network interface (ENI) attached to a CloudGuard Gateway, an AWS Gateway Load Balancer (GWLB) endpoint to distribute traffic to multiple appliances for performance or high availability reasons.

It also allows inserting a virtual appliance between a subnet and an AWS Transit Gateway.

Check out the bellow simple use case

Traffic that is being sent between Subnet QA and Subnet Prod is now inspected by the CloudGuard Gateway.

This is the most basic use case, you can leverage it and use it in more complex use case where you have multiple VPC, TGW, and Gateway LoadBalnacer.

Feel free to comment and ask any question.

AWS Diagram-Copy of AWS DeepDive.drawio.png

 

 

 

 

9 Replies
PhoneBoy
Admin
Admin
‎2021-09-13 12:17 PM

That’s actually great news!
I remember when we were first working with gateways in AWS and had to work around this limitation.
This should make for much simpler deployments.

0 Kudos
Peter_Griekspoo
Employee
Employee
‎2021-09-29 02:03 AM
In response to PhoneBoy

Hi Phoneboy,

It does help making deployments easier and cost effective, but it certainly seems the "worst" practice from the perspective of the Cloud Native Well-Architected Framework and our own Check Point Secure Blueprint. 

Not sure why AWS would offer this other than getting rid of the many complaints about their inability to create static routes within the VPC CIDR.

Azure still offers IP forwarding on Peering and HA port Load Balancers, so I am curious when AWS will decide to "even" the score on that one as well, while offering TGW and GWLB on top.

 

 

0 Kudos
Gaurav_Pandya
Advisor
‎2021-09-29 02:31 AM

Hi Levin,

Thanks for sharing this. I have one question, may be this is off topic.

Cloudguard provides micro segmentation protection independently? or it requires other stuff like NSX to achieve this requirement

0 Kudos
_Val_
Admin
Admin
‎2021-09-29 03:10 AM
In response to Gaurav_Pandya

@Gaurav_Pandya, the author's name is Shay, Levin is a surname. 

Please do post the same comments from different accounts. I have removed your double-posting comments, to avoid confusion.

0 Kudos
Gaurav_Pandya
Advisor
‎2021-09-29 05:22 AM
In response to _Val_

Oh ok. 

Actually I logged in to usercenter with that account so it took automatically. After posting comment, it was not displaying so finally I replied again with my account. 

0 Kudos
Daniel_Westlund
Collaborator
Collaborator
‎2021-09-29 09:34 AM
In response to _Val_

So you don't know the answer then?

0 Kudos
_Val_
Admin
Admin
‎2021-09-29 11:24 PM
In response to Daniel_Westlund

@Daniel_Westlund Here is no need to get personal. My comment was about proper use of this forum. It is my duty as an admin to care about those things.

Dameon a.k.a. @PhoneBoy has already answered the original @Gaurav_Pandya's question. Let me know if I can help you with anything else.

0 Kudos
Gaurav_Pandya
Advisor
‎2021-09-30 02:31 AM
In response to _Val_

Ok Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-29 12:16 PM
In response to Gaurav_Pandya

The underlying virtualization system has to provide a mechanism to allow for microsegmentation.
Without that, there isn't a lot we can do on our own.
VMware NSX obviously has this, and we integrate with that.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events