Amazon Web Services (AWS) has provided its customers with better options for Virtual Private Cloud (VPC) ingress routing. Customers will have to consider which works best for their needs.
Amazon’s VPC is a software-defined networking service that allows customers to build virtual data centers in the cloud, controlling traffic through a combination of virtual firewalls such as stateful security groups and stateless network access control lists (NACLs).
Security group and NACL rules are powerful forms of controlling traffic, but don’t provide packet inspection to analyze traffic or to detect or thwart attacks that fall within the defined routing rules. This is where ingress routing comes in.
VPC ingress routing allows customers to improve their security posture by routing all traffic within the VPC through a firewall appliance running on a virtual machine in the VPC. The firewall appliance can drop packets of any attacks it detects. Customers can choose their tool from the options on AWS marketplace or even design and build their own custom solution.
Prior to support for VPC ingress routing, many customers would route traffic from the VPC back to their on-premises firewall solutions that enforced their networking controls, leading to additional overhead and latency. Running firewall appliances as virtual machines within AWS’s datacenters is clearly a better approach.
What happens if a customer has multiple VPCs? They could run a firewall appliance within each VPC, but this would require additional costs and overhead. AWS’s recommended solution is to route traffic from private VPCs (VPCs within no routes to internet gateways) to an internet-connected VPC in which the customer runs their firewall appliances.
Customers can route this traffic using an AWS transit gateway, which is a fully managed router allowing for hub-and-spoke connectivity between VPCs in the same region, simplifying management and administration of networking across the customer’s cloud and on-premises infrastructure.
Source: AWS Online Tech Talks, YouTube, Feb. 26, 2020
For ingress routing for internet-destined traffic, customers configure the networking of each VPC to route through the transit gateway by means of a VPC attachment. Internet-destined traffic goes to the internet-facing VPC in which the customer runs their firewall appliances.
Customers have three options to run highly available firewalls for ingress routing: VPC attachments, VPN attachments, and forward proxies. Each has advantages and disadvantages
In the VPC attachment model, the internet-facing VPC to which the others route contains an internet gateway and two firewall appliances, each in a different subnet. The transit gateway has an elastic network interface (ENI, virtual network card) and an IP in each of the two subnets, each of which is in a separate availability zone (AZ).
Traffic can arrive in either AZ, to either interface. The VPC routes all its traffic to the transit gateway, and the transit gateway sends internet traffic to the VPC containing the firewall appliances. There is a return path to the non-internet-facing VPCs in which the customer runs their workloads.
The main drawback to this architecture is that AWS users need to apply some customization to achieve automatic failover for high availability. If one of the firewalls goes down, this setup will black hole the traffic because of how the route table is configured in the internet-facing VPC. Customers must create a script for failover, which would usually work by automatically updating the route table if one of the firewalls goes down.
In this setup, instead of using a native attachment to the VPC, users run site-to-site VPN from the transit gateway to each firewall appliance. The VPNs run a routing protocol, so this solution has the advantage of built-in automatic failover, unlike the VPC attachment setup.
The disadvantage of using VPN is that encryption may have a performance impact. Because of the overhead involved in encrypting the traffic, site-to-site VPN will likely not be able to handle as much traffic as the VPC attachment model.
In the forward proxy model, we set up proxies that we make highly available through the use of a network load balancer on the front end of an auto-scaling group of virtual machines. If one of the virtual machines fails its health check, the load balancer stops forwarding traffic to it. All our connections go to the proxy IP range, and we configure our instances to use the proxy when sending traffic to external sources.
The proxy terminates the connection and initiates another connection out to the internet from its own IP. The proxy model makes it much easier to deal with decrypting traffic and allows for inspection of the encrypted traffic connecting to the proxies.
The main downside with this solution is that the proxy must be configured on all the clients. Every client instance that goes out to the internet must have the proxy configuration, so the forward proxy model requires more configuration to set up than the VPC attachment or VPN attachment architectures.
AWS’s transit gateway solution to provide hub-and-spoke connectivity between VPCs and connections back to on-prem provides a great networking solution for its customers. Prior to the transit gateway, customers had to rely on one-to-one peering between VPCs, with no support for transitive peering, and each VPC would require its own internet, VPN, or AWS Direct Connect connection back to the corporate data center (due to a lack of support for edge routing using VPC peering).
All the same, we can see that with three different options, all requiring different degrees of configuration and employing third-party solutions from AWS marketplace, this is clearly an evolving space in which AWS is focusing on releasing new features and services to address the needs of its customers.
Info-Tech expects that AWS will focus on expanding and changing support for this area of its cloud services. Customers should expect to see significant changes in the near-term future to available features and capabilities for ingress routing and for firewall appliances and networking across multiple VPCs and on prem environments.
AWS may work to develop its own firewall solution in the future based on open-source technology, in order to compete with the third-party firewall solutions currently available through AWS Marketplace.
COVID-19 has forced software companies and their suppliers to refocus efforts around prioritizing systems and workflows that are nearly 100% digital in nature. As a result, Info-Tech has observed the quick emergence of six market themes that are highly relevant after COVID-19. This note series will profile key vendors and how they fit into the post-COVID-19 world.
Oracle has announced the general availability of Exadata Cloud@Customer, a managed service that enables enterprises to unlock the previously cloud-first features of Oracle's Autonomous Database for on-premises data centers. This offering is ideal for enterprises that must conform with regulatory and/or technical challenges that force on-premises database residency.
Experiencing issues when using Microsoft online services? You are not alone. Capacity constraints were being hit, pre-COVID-19, and usage has surged in regions with enforced social distancing.
Google has announced a premium support plan for its cloud customers, promising a 15-minute response to the highest severity tickets. Google’s cloud has long struggled with enterprise customers – especially when compared to giants Microsoft and AWS – and this announcement is the latest incarnation of Google’s push to better serve a critical constituency.
In January, Microsoft announced what it’s calling “the largest expansion of its Canadian-based cloud computing infrastructure” since 2016. Additional availability zones and services will increase capacity for cloud-hungry Canadians, and the addition of an Azure ExpressRoute site in Vancouver will guarantee security and performance in a regulated jurisdiction.
Microsoft’s announcement that server-side encryption with customer managed keys for Azure Managed Disks is now available is welcome news for security-minded public cloud customers. Managing one’s own keys in a cloud environment can be an important step in complying with regulatory requirements, and this new feature should open Azure Managed Disks to a wider group of customers who may have held back for this reason.
AWS VPC Traffic Mirroring gives customers more visibility for out-of-band traffic inspection. This feature is another useful tool for monitoring in the AWS cloud.
Organizations have been running into capacity constraints on cloud infrastructure in regions with enforced social distancing due to COVID-19. Having a back-up plan will be critical to your business continuity plans.
Microsoft has added six months of additional support to Windows 10 Enterprise and Education 1709. This will help reduce pressure to upgrade and provide support in the interim as companies focus on business continuity plans due to COVID-19.