- Mais recentes
- Mais votos
- Mais comentários
Your architecture is a good approach. Customers can enable fully meshed routing to the TGW, and then use the NACLs on the subnet where the ENI lives to limit what can access that VPC, assuming as you say, dedicated subnets for the TGW ENI.
You can also use the other option of adding an intermediate security (also know as inspection or appliances) VPC to inspect traffic.
A third option might be to have a look at what firewall manager can do for you, to centrally configure security groups. The only hesitation i have there is that you then end up shifting all your SG configuration centrally, and that in turn may not suit development environments.
Certainly, your suggestion is definitely a manageable one, but i would encourage the customer to be clear about IP CIDR range allocation, and not make life hard for themselves. There are limits to entries in NACLs and you don't want to get to the point where you have to permit/deny many ranges....ideally if its a bank, maybe they could align their ranges with either security level, or business unit, and put the high level control in that way!
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 10 meses
- AWS OFICIALAtualizada há 2 anos