AWS CloudWan east-west traffic inspection
0
My customer is implementing a multi-region security architecture using AWS Cloud WAN and needs to enforce strict security boundaries between different VPC segments while ensuring all east-west traffic undergoes security inspection. They have configured their network using the 'send-to' action for traffic inspection, but are experiencing unexpected cross-segment communication. Why are they experiencing this and how can this be addressed?
- Language
- English
asked 9 months ago226 views
1 Answer
- Newest
- Most votes
- Most comments
0
The key limitation of using 'send-to' for east-west traffic inspection is that it installs default routes (0/0, ::/0) in segment route tables, which effectively allows all segments to communicate with each other through the inspection VPC. This creates two main problems:
1. Loss of granular control: You cannot selectively choose which traffic between segments should be inspected
2. Security boundary issues: Cannot properly isolate segments from each other as intended
The recommended solution is to:
1. Use 'send-via' action for east-west traffic inspection:
a. Allows specific control over which segments can communicate
b. Enables proper security boundaries
c. Provides flexibility to inspect only selected traffic patterns
2. Reserve 'send-to' action only for north-south traffic (internet/hybrid traffic)
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 2 years ago
