By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use of AWS Network Firewall for East West Scanning when using AWS Privatelink

0

Hi, as the title says. AWS network firewall is in use for east west scanning between AWS accounts. Few services are being exposed from existing accounts to new AWS accounts using Privatelink endpoints. Question is, how to get east-west scanning working for accounts using Privatelink connection? Is it even possible.

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon VPCAWS Network FirewallAWS PrivateLink
Language
English
rePost-User
asked 10 months ago387 views
1 Answer
0
Accepted Answer

Yes, this is possible. In a single VPC you would route traffic from the "source" subnet to a network Firewall endpoint (which would need to be in a second subnet) to the PrivateLink endpoint (in a third subnet). You need to ensure that the return routes follow the reverse path (PrivateLink->Network Firewall endpoint->original source subnet).

That said: What's the purpose for doing this? If the traffic is encrypted (which it should be as per best practice recommendations) then inspecting the traffic with Network Firewall isn't going to help much unless you're using the ingress inspection feature which assumes that you have the private keys (from the "far end" of the PrivateLink endpoint) - and if you have those then why use Network Firewall at all?

profile pictureAWS
EXPERT
Brettski-AWS
answered 10 months ago
profile picture
EXPERT
Gary Mclean
reviewed 10 months ago
  • rePost-User
    10 months ago

    thanks for answering the question and for the inputs, the question was part of a discussion for a very early stage proof of concept, your inputs have given me something to think about

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content