使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Seeking Advice on AWS Direct Connect - Firewall Setup

0

Hello everyone, I need some advice on our current setup, which is based on a Hub & Spoke architecture in AWS. Our setup involves: - Utilizing Direct Connect via a transit VIF in the central Network account. - Sharing the DX connection with multiple spoke VPCs on different AWS accounts within our organization through a Transit Gateway.

We have a security requirement to inspect all the Direct Connect traffic by passing it through a firewall in AWS. Our main idea is to deploy an AWS firewall or a third-party solution like a Palo Alto VM in the Central network account to monitor all inbound and outbound traffic.

I would greatly appreciate your insights and guidance on whether this setup is the best approach. If you can provide any documentation links, best practices, or personal experiences related to this kind of setup, it would be incredibly helpful.

Thank you in advance for your assistance!

主题
网络和内容交付安全、身份和合规性
标签
AWS Direct ConnectAWS 防火墙管理器网络和内容交付
语言
English
Ali Md
已提问 6 个月前1592 查看次数
2 回答
1
已接受的回答

Funnily enough, I was reviewing that kind of setup today. Please take a look at https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

The deployment model: 2) North-South: Centralized on-premises egress & ingress via Transit Gateway and Transit VIF/Direct Connect gateway/AWS Site-to-Site VPN seems to be what you are looking for.

This way all traffic from On Prem VIA DX will use the TGW Route table 0.0.0.0/0 to send all traffic via an inspection VPC. After passing through AWS or 3rd Party firewall, the traffic is passed back to TGW to route to the correct VPCs etc

profile picture
专家
Gary Mclean
已回答 6 个月前
profile picture
专家
Oleksii Bebych
已审核 2 天前
profile pictureAWS
专家
Didier_Durand
已审核 6 个月前
  • Ali Md
    6 个月前

    Thank you for your response Gary! I will take a look at the link and get back to you incase of any questions. Thanks again.

0

Are you considering using Gateway Load Balancer in your architecture? This will simplify the architecture and routing design for your inspection VPC.

You can also check this blog which discusses Hybrid Inspection Architecture which can apply to both Gateway Load Balancer and AWS Firewall: https://aws.amazon.com/blogs/apn/centralized-traffic-inspection-with-gateway-load-balancer-on-aws/

If you are considering deploying gateway load balancer endpoints using Geneve protocol, you can review this Gateway Load Balancer Workshop which deploys Palo Alto in an inspection VPC: https://catalog.us-east-1.prod.workshops.aws/workshops/ae291640-10fe-4c0b-982f-9b9a61dbad26/en-US

profile pictureAWS
AmerO
已回答 6 个月前
  • Ali Md
    6 个月前

    Thank you for your response Amer! Yes, we are indeed considering using Gateway Load Balancer in our architecture to achieve high availability for the firewall. This approach seems promising in simplifying our routing design. I appreciate the links you provided, The Gateway Load Balancer Workshop deploying Palo Alto in an inspection VPC looks interesting. I'll definitely take a closer look at it to see how it aligns with our requirements. If you have any more insights or tips related to our setup, please feel free to share. Thanks again!

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容