By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Network Connectivity

0

In our current network architecture, incoming traffic from the internet enters our AWS accounts via Route 53 and the internet gateway. We now need to establish a new traffic flow from external third-party clouds into our AWS accounts. Specifically, we are developing APIs within our internal AWS accounts that will be accessed by resources hosted in third-party clouds such as GCP. For this new traffic pattern, is it possible to route traffic from external third-party clouds through Route 53, then AWS WAF, and finally the internet gateway, while ensuring that all other traffic continues to flow as usual through Route 53 and the internet gateway?

Existing Traffic Flow - Internet --- Route 53 ---- Internet gateway ------ Fortigate firewall (Shared Transit VPC account) New Traffic Flow only for API gateway - Internet --- Route 53---- AWS WAF ( Only API gateway traffic)---- Internet gateway ------ FortiGate firewall (Shared Transit VPC account)

Only traffic to API gateway has to use the new traffic flow and rest all should have the existing Traffic Flow.

If yes, how do we achieve this?

Topics
Security, Identity, & ComplianceServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
AWS WAFAmazon API GatewayAmazon Route 53
Language
English
Mithun
asked 2 months ago144 views
2 Answers
1

I'd note that traffic does not flow through Route 53. The DNS lookup process happens before traffic flows; and once the client has performed the DNS lookup (using Route 53) then the traffic flows directly from the client to the IP address that was returned by Route 53. Route 53 is never in the traffic path.

With that said:

WAF can be attached to an Application Load Balancer or to a CloudFront distribution. So you could put an ALB in front of your firewall - the ALB would have a public IP address and you could then deliver the traffic to it; have it processed by WAF; then passed through the firewall to your workloads. This is described in some detail in this blog post. I'd note that there are a couple of different ways of doing this but in general the answer is "yes".

For traffic that is not going to the ALB you would have an Elastic IP on the firewall itself (as you probably do now) and the existing DNS lookups will return that IP address and clients will continue to connect to it. Note that it makes the diagrams on the blog post look a bit "messy" and there are considerations around route tables and how things are routed but it can be made to work.

There are also cases where this won't work depending on how your routing and firewall policies are configured. There might be situations where you will need separate firewalls for different ingress and egress patterns. These might also be situations where Gateway Load Balancer is useful - this is also covered in the blog post.

This is a fairly complex area - it may be worthwhile reaching out to your local AWS Solutions Architect to discuss your requirements.

profile pictureAWS
EXPERT
Brettski-AWS
answered 2 months ago
profile pictureAWS
EXPERT
Tushar_J
reviewed 2 months ago
profile picture
EXPERT
Gary Mclean
reviewed 2 months ago
0

Also, please check on the ingress patterns references here which outlines different scenarios - https://aws.amazon.com/blogs/networking-and-content-delivery/design-your-firewall-deployment-for-internet-ingress-traffic-flows/ https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

AWS
Nagarjun Rangala
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content