AWS Routing and Security Groups

AWS Routing and Security Groups

22877
Created On 09/25/18 15:12 PM - Last Modified 05/31/23 20:47 PM


Resolution


Questions about AWS routing and security groups are coming up more and more so let's dive into this a bit.  When working with AWS, the following are some key points:

  • We are not deployed as a service
    • There is no such model in AWS today so this isn't anything like our integrations with OpenStack, ACI, or NSX
  • We do not have any control over the virtual infrastructure
    • i.e. no promiscuous mode like we can do with ESXi and therefore layer 3 interfaces only
  • We have only limited control over the routing in AWS
    • This is very limited, for example, we cannot delete the initial static route in every subnet by default
    • Every subnet deployed in an AWS VPC is attached to the VPC virtual router and the default behavior is for that virtual router to handle all traffic

 

So the end result is, we have to implement some workarounds to ensure traffic goes through our VM-Series in an AWS VPC.

 

So, given the above constraints, we need to use a combination of routing and/or VPNs and/or security groups and/or NAT to make all this work.  For the hybrid cloud use case (with no inbound traffic from the Internet), simply terminating IPSec tunnels between the on-prem firewalls in the private data center and the VM-Series firewall(s) in the AWS VPC, greatly simplifies the problem.  Here's an example hybrid topology:

 

Slide1.pngAWS demo hybrid logical topology

 

For other use cases, such as a public-facing application with users coming from the internet, we need to combine DNAT, static routes, and AWS security groups to ensure that the traffic not only goes through the VM-Series firewall, but also use security groups in the AWS VPC to prevent a compromised instance from being reconfigured to route around the firewall.  If this is set up correctly, the firewall cannot be bypassed -- even if a guest instance is compromised and the default route is altered.  Here's a sample topology:

 

Slide1 (1).pngInternet facing application use case

 

The exact method of doing this is covered in the VM-Series for AWS Hybrid Cloud Deployment Guidelines white paper.

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClD3CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language