https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-secure-dmz-and-internal-traffic-inside-aws-concept/m-p/333189#M835 <P>Hi all,</P><P>&nbsp;</P><P>First, I 'm pretty with AWS...</P><P>VPC is configured in the range 10.0.0.0/16.</P><P>I have a firewall (PA VM) deployed with 3 interfaces (Untrust, DMZ, Trust).</P><P>Untrust: 10.0.0.0/24, Internal : 10.0.1.0/24 (FW.1) , DMZ : 10.0.99.0/24 (FW.1).</P><P>I created 3 Routing tables for each zone and assign each subnet into the RT.</P><P>I changed the default route for routing table DMZ and Internal, pointing to the FW.</P><P>&nbsp;</P><P>Because each routing table (focusing on DMZ and Trust here) has a default entry (10.0.0.0/16) pointing to local that cannot be changed, it's possible to pass traffic from DMZ to Internal WITHOUT traversing the firewall.</P><P>I created two self referencing security group (SG-TRUST and SG-DMZ) and assign it to each ENI (FW ENI and host ENI).</P><P>Now traffic is blocked (so bypassing fw is not possible anymore) but routes needs to be added on each host to pass traffic from Trust to DMZ (and reverse)</P><P>&nbsp;</P><P>ON DMZ Host</P><P>10.0.1.0/24 gw 10.0.1.99.1 (FW)</P><P>&nbsp;</P><P>ON Internal Host</P><P>10.0.99.0/24 gw 10.0.1.1 (FW)</P><P>&nbsp;</P><P>Is it possible to avoid creating this static routes on the host and force traffic to traverse the firewall (configuration on the routing table) ?</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>HA</P> Fri, 12 Jun 2020 14:32:08 GMT slp-security 2020-06-12T14:32:08Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-secure-dmz-and-internal-traffic-inside-aws-concept/m-p/333189#M835 <P>Hi all,</P><P>&nbsp;</P><P>First, I 'm pretty with AWS...</P><P>VPC is configured in the range 10.0.0.0/16.</P><P>I have a firewall (PA VM) deployed with 3 interfaces (Untrust, DMZ, Trust).</P><P>Untrust: 10.0.0.0/24, Internal : 10.0.1.0/24 (FW.1) , DMZ : 10.0.99.0/24 (FW.1).</P><P>I created 3 Routing tables for each zone and assign each subnet into the RT.</P><P>I changed the default route for routing table DMZ and Internal, pointing to the FW.</P><P>&nbsp;</P><P>Because each routing table (focusing on DMZ and Trust here) has a default entry (10.0.0.0/16) pointing to local that cannot be changed, it's possible to pass traffic from DMZ to Internal WITHOUT traversing the firewall.</P><P>I created two self referencing security group (SG-TRUST and SG-DMZ) and assign it to each ENI (FW ENI and host ENI).</P><P>Now traffic is blocked (so bypassing fw is not possible anymore) but routes needs to be added on each host to pass traffic from Trust to DMZ (and reverse)</P><P>&nbsp;</P><P>ON DMZ Host</P><P>10.0.1.0/24 gw 10.0.1.99.1 (FW)</P><P>&nbsp;</P><P>ON Internal Host</P><P>10.0.99.0/24 gw 10.0.1.1 (FW)</P><P>&nbsp;</P><P>Is it possible to avoid creating this static routes on the host and force traffic to traverse the firewall (configuration on the routing table) ?</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>HA</P> Fri, 12 Jun 2020 14:32:08 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-secure-dmz-and-internal-traffic-inside-aws-concept/m-p/333189#M835 slp-security 2020-06-12T14:32:08Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-secure-dmz-and-internal-traffic-inside-aws-concept/m-p/333197#M836 <P>AWS does not allow of the addition of more specific routes in a VPC.&nbsp; Due to this, you would typically look at a multi-VPC model to achieve east-west inspection between instances.&nbsp; We have examples of these types of deployments in our AWS reference architecture.</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/resources/reference-architectures/aws" target="_blank">https://www.paloaltonetworks.com/resources/reference-architectures/aws</A></P> Fri, 12 Jun 2020 15:05:14 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-secure-dmz-and-internal-traffic-inside-aws-concept/m-p/333197#M836 jmeurer 2020-06-12T15:05:14Z