By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Network Firewall for region

0

Dear Team - we already have us-east-2 region as primary region and we are building us-west-1 as backup or DR region. We already have transit gateway level peering for traffic routing. we are planning to inspect the traffic at us-west-1 region. So traffic from us-east-2 region will reach to TGW at us-west-1 and our Fortinet Firewall behind the gateway load balancer will inspect it. Similarly, traffic originating from us-west-1 will first inspect at same DR region Fortinet and reach to us-east-2. We dont want to inspect traffic at both region for cost saving. i saw some blog suggest to inspection on both region for asymmetric routing issue However, in above approach, i do not see that issue. Can anyone suggest ?

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Gateway Load BalancerAWS Network Firewall
Language
English
JD
asked 17 days ago60 views
1 Answer
0

Your approach of inspecting traffic only in the us-west-1 region (DR region) using Fortinet Firewall behind a Gateway Load Balancer is a valid strategy for cost savings. However, there are some important considerations to keep in mind:

  1. Asymmetric Routing: While you may not immediately see asymmetric routing issues, they can still occur in certain scenarios. Asymmetric routing happens when the request and response traffic don't follow the same path through the firewall. In your case, if traffic originating from us-east-2 is inspected in us-west-1, but the return traffic takes a different path, it could lead to issues with stateful inspection.

  2. Latency: Routing all traffic from us-east-2 to us-west-1 for inspection before reaching its destination may introduce additional latency, which could impact application performance.

  3. Transit Gateway Configuration: Ensure that your Transit Gateway peering and routing configurations are set up correctly to direct all traffic through the inspection point in us-west-1. This includes both inbound and outbound traffic for both regions.

  4. Failover Considerations: In case of a failure in the us-west-1 region or the Fortinet Firewall, you should have a failover plan. This might involve quickly redirecting traffic to bypass the inspection or having a backup inspection solution in us-east-2.

  5. Compliance and Security Requirements: Ensure that this single-region inspection meets your organization's compliance and security requirements.

To mitigate potential asymmetric routing issues:

  1. Use Transit Gateway's appliance mode feature, which helps maintain flow symmetry by ensuring that response traffic follows the same path as the request.

  2. Configure your Transit Gateway route tables carefully to ensure both forward and return traffic flows through your Fortinet Firewall in us-west-1.

  3. Monitor your traffic patterns closely and be prepared to adjust your routing if asymmetric issues do arise.

While inspecting traffic at both regions would indeed provide more robust protection against asymmetric routing issues, your proposed approach can work if implemented carefully. However, you should thoroughly test this setup to ensure it meets your performance, security, and reliability requirements before fully implementing it in production.
Sources
Avoiding asymmetric routing with AWS Network Firewall - AWS Network Firewall
AWS Transit Gateway traffic flow and asymmetric routing - AWS Prescriptive Guidance
Transit gateway peering attachments in Amazon VPC Transit Gateways - Amazon VPC

profile picture
re:Post Agent
answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content