I have a Network Insight Analysis that runs daily. The analysis is fairly basic.
It runs a check between any two network interfaces on our network.
I have noticed that there is a finding that keeps appearing that we do not expect. (note I have replaced ids with unique letters). The source of the finding is a network interface associated with a global accelerator we have. However, the network interface is in a subnet with CIDR 10.48.161.64/28
but the source header indicates it is sending from a different CIDR range which allows it through security groups that should explicitly not allow traffic from that subnet.
Hypothetically, these resources have security groups separating blocking ingress from one into the other. However, since the apparent source is different, it does not seem to be the case. I have not been able to replicate this network traffic outside of the network analysis tools. My suspicion is something to do with global accelerator being able to preserve client IP or change headers?
Below is the first entry into the analysis.
{
"SequenceNumber": 1,
"Component": {
"Id": "eni-BBB",
"Arn": "arn:aws:ec2:us-west-1:yyy:network-interface/eni-BBB",
},
"OutboundHeader": {
"DestinationAddresses": ["10.48.129.197/32"],
"DestinationPortRanges": [{"From": 8334, "To": 8334}],
"Protocol": "6",
"SourceAddresses": ["10.32.129.192/27"],
"SourcePortRanges": [{"From": 0, "To": 65535}],
},
"Subnet": {
"Id": "subnet-AAA",
"Arn": "arn:aws:ec2:us-west-1:xxx:subnet/subnet-AAA",
},
"Vpc": {
"Id": "vpc-yyy",
"Arn": "arn:aws:ec2:us-west-1:xxx:vpc/vpc-",
},
},
I am aware that there are better ways to do what I am doing potentially.
Right now I am just trying to understand why this behavior occurs or maybe some places to look for answers. Alternatively, if this is a false positive for whatever reason, understand how I can update my configurations to handle it.
Also interesting to note, we have an identical setup in another region and that does not trip these same rules
If there is any more information I can provide, please let me know!
Network Analysis JSON below.
{
"matchPaths": [
{
"source": {
"packetHeaderStatement": {
"sourceAddresses": [
"0.0.0.0/0"
],
"destinationAddresses": [
"10.48.0.0/12",
"172.16.0.0/13"
]
},
"resourceStatement": {
"resourceTypes": [
"AWS::EC2::NetworkInterface"
]
}
},
"destination": {
"packetHeaderStatement": {
"sourceAddresses": [
"0.0.0.0/0"
],
"destinationAddresses": [
"10.48.0.0/12",
"172.16.0.0/13"
]
},
"resourceStatement": {
"resourceTypes": [
"AWS::EC2::NetworkInterface"
]
}
}
}
]
}
Hello. The issue is I did open a support request but support has been pretty much unresponsive. Because it is a cross account issue (within an organization), they cannot seem to actually help with this.
I am just trying to understand if global accelerator has some behavior where it can appear in unexpected places in a network insight analysis.