I somewhat understand its necessity in case of the single interface vSEC deployment, but if we are using multiple interfaces, what is the reason for nuking the Source/Destination checks?
Not a vSec expert but according to NAT Instances - Amazon Virtual Private Cloud, if we look at Source/Destination Checks, it describes it as follows:
"Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."
Since we want to route the traffic through the vSec gateway, it would not be the source/destination of the traffic, therefore it needs to be disabled.
Regarding the vSEC Gateway for Amazon Web Services - Getting Started Guide, this is required to let your Security Gateway route the traffic of your private subnets.
Routing Traffic through the Security Gateway
To let the Security Gateway route the traffic of your private subnets, make this change.
To route traffic through the Security Gateway:1. Open the AWS Management Console.2. Select Services > EC2 > Instances. 3. Right-click the vSEC Gateway instance.4. Select Networking > Change Source/Destination Check. 5. Click Yes/Disable.
I know how to make this work, I am trying to figure out why it is necessary when vSEC is deployed with interfaces corresponding to each subnet in your CIDR.
Since AWS Route tables list your CIDR routing as "Local", it stands to reason that the VPCs router will get the traffic to any interface of vSEC in any subnet of that CIDR.
So what does the Source/Destination check Disabled is actually helping us achieve?
Thank you. It's been a while since I've played with AWS so definitely nice to refresh the fundamentals.
The way I describe it is an Anti-Spoofing check for the instance itself.
Nice. Is there any situation where it may not be recommended to apply this setting on one of the vSEC interfaces?
Retrieving data ...