By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Workload Discovery Post Implementation

0

So far Workload Discovery is a really nifty tool; however, when I deployed it via CloudFormation I set off the infosec alarms because it created a Internet Gateway, NAT, and EIP's. I didn't see anything related to those topics in the implementation guide. The CloudFormation template created 4 subnets 2 public and 2 private. The public subnets has two routes to the IGW and an s3 endpoint. The private subnet has routes to a NAT and the same s3 endpoint.

If this service needs public ip's...internet access is it possible to pivot this traffic over to existing IGW/NAT? In the eyes of infosec they see public IP's so my goal is to try and implement this in our current network design pattern or articulate to them exactly what traffic is being generated from these resources.

Topics
Networking & Content DeliveryManagement & Governance
Tags
Amazon VPCAWS CloudFormationNetworking & Content DeliveryAWS Account Management
Language
English
Jason
asked a year ago252 views
1 Answer
0

Hello,

In regards to your query description, below are the points to be noted:

The discovery process runs in a private subnet but needs to make calls to ~13 AWS services using the AWS SDK. Not all of these services have private link and even if they did, adding private link for each of these services would add ~$100 per month to the cost of running the solution. As such this means we need to have NAT Gateways so processed running in the private subnet can access the internet. These NAT Gateways must run in public subnets.

You cannot currently deploy the solution to an existing VPC. This will be a feature of v2.1.0 that is currently in development (in fact, the feature has already been implemented) but as you can see from our GitHub milestone we are very far from finished development of this version.

In regards to the query: is it possible to pivot this traffic over to existing IGW/NAT?

Please understand that you could change the cloud formation to use an existing vpc by hardcoding the subnet ids into the template too but then you'd have to maintain a custom version of the installation scripts.

You can refer the below GitHub link for the same: https://github.com/aws-solutions/workload-discovery-on-aws/pull/383

Please note that you have more concerns and queries regarding this, I would request you to raise a support case with the cloudformation team who is the best one to answer such related queries.

Adding on to this, for your reference you can go through the below documents with respect to cloudFormation functionalities: References:

Bringing existing resources into CloudFormation management: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html

Importing existing resources into a stack: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-existing-stack.html

Resources that support import and drift detection operations: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html

==================================================

AWS
SUPPORT ENGINEER
kalpitab
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content