Secure AWS Cloud WAN Traffic with Palo Alto Networks Cloud NGFW or VM-Series

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L0 Member

Title_Secure-AWS-Cloud-WAN-Traffic_palo-alto-networks.jpg

This blog written by Nidhi Pandey and Vijay Arumugam Kannan.

 

 

We are excited to announce that Palo Alto Networks Managed Cloud NGFW and customer managed VM-Series firewall now integrates with AWS Cloud WAN 

 

First, some context: Over the years, Palo Alto Networks customers have used VM-Series Next-Generation Virtual Firewalls (aka virtual form-factor of firewalls) to protect their VPC traffic. These virtual firewalls provide best-in-class security with Layer 7 application controls, real-time signatures and URL categories updates, and ML-powered threat prevention. Customers enjoyed the convenience of using Palo Alto Networks VM-series software on AWS Cloud by purchasing licenses and deploying the firewalls from the AWS Marketplace. Customers decide what instance types are best suited for their environment and how best to manage upgrades, scale-out, and failover.

 

These customers have always asked us whether we can make our best-in-class security as easy to consume as other AWS-native services. They were looking for a cloud-native experience for network security and wanted to avoid managing the security infrastructure and integrating it deeply with the AWS ecosystem. We listened and launched Cloud NGFW for AWS back in March 2022. Cloud NGFW for AWS is a Next-Generation Firewall resource (aka cloud-native form factor) on the AWS platform managed by Palo Alto Networks. Cloud NGFW resources come with built-in scalability, resilience and life-cycle management. They also offer zero-maintenance by transferring the operational responsibility from customers  to Palo Alto Networks. Cloud NGFW natively integrates with your AWS workflows and streamlines policy management and security operations with Panorama, Cortex Data Lake, and more. These firewalls can now protect your AWS Cloud WAN traffic using the centralized deployment architectures 

 

AWS Cloud WAN is a managed wide-area networking (WAN) service from AWS, that you can use to build, manage, and monitor a unified global network that connects resources running across your cloud and on-premises environments. It provides a central dashboard from which you can connect on-premises branch offices, data centers, and Amazon Virtual Private Clouds (VPCs) across regions in the AWS global network via varied connectivity mechanisms and share routes. 

 

AWS Cloud WAN Deployment

 

Traditionally customers like you would have to peer transit gateway with each other, to connect VPCs in different regions  and support inter-region traffic flow. This peering and connectivity mechanism tends to become complex as you add more regions. With AWS Cloud WAN, you now have a global centralized service to provide the peering and connectivity. It also simplifies the routing. 

 

You can map these VPCs to segments in the core network. These segments are connected using attachments like VPC attachment or Transit gateway route table attachments. The built-in segmentation helps you to maintain network isolation across AWS and on-prem environments. Each segment creates a dedicated routing domain. You can create multiple network segments within your global network. Cloud WAN restricted AWS resources to communicate within the segment.

 

Cloud WAN & Cloud NGFW Deployment Architectures 

In nutshell, Cloud WAN is the interconnection of your VPCs and on-prem networks. Lets now dive deep on how to secure traffic interconnected with cloud WAN using Palo Alto Networks Firewalls. In this blog, we use Cloud NGFW in the examples that follow. Similar deployment architectures hold good with VM-Series deployed behind Gateway Load Balancer (GWLB) and GWLB endpoints. 

 

Though Cloud WAN is a global construct, we recommend deploying Cloud NGFW in every AWS region it spans, to maintain security posture with low latency, and optimized costs. You can deploy Cloud NGFW in a centralized security VPC in every region. The security VPC can be directly connected to the cloud WAN security segment via attachment. The routing associated with the attachments and segments define how the traffic gets routed towards the Cloud NGFW resource for threat prevention. You can redirect traffic arriving from cloud attachments to security VPC, before forwarding to the destination.

 

Cloud NGFW deployed within a region can now protect and secure:

 

  • East-West traffic with inter-region flows and intra-region flows
  • Outbound traffic flow 
  • Traffic from on-prem and branch environment

 

Traffic Flow (East-West) 

Consider the deployment architecture in the figure below where  an on-prem environment connected with cloud WAN service over the hybrid segment. The two regions are also peered using VPC attachment with Cloud WAN in their respective segments. 

                  

Fig 1_Secure-AWS-Cloud-WAN-Traffic_palo-alto-networks.png

 

In this deployment architecture the security VPC in region 1 hosts the Cloud NGFW. The VPCs in two regions are paired with Cloud WAN in different segments. Let us consider two traffic flow examples:  

 

1) Traffic is originating from on-prem towards the workload hosted in prod segment in region1:

 

  • Cloud NGFW is deployed in security VPC
  • Any traffic towards the region 1 is sent towards the cloud WAN
  • From the prod segment, traffic is sent to the security segment, which hosts the cloud NGFW service, for inspection 
  • The cloud wan attachment forwards the traffic towards the cloud NGFW endpoint
  • Once the traffic is inspected and security checks applied, The cloud NGFW endpoint route table routes the traffic towards the cloud WAN
  • The route table in cloud WAN will redirect the traffic towards the Prod VPC via the cloud WAN attachment

 

2) Traffic is originating from the prod segment in region-2 to the prod segment in region-1:

 

  • Traffic originates from prod segment in region 2 towards prod segment in region 1
  • Traffic reaches the cloud WAN prod segment attachment 
  • Based on the route, traffic is forwarded to security VPC in region1
  • After inspection, the traffic reaches the security segment in cloud WAN
  • Based on the security segment attachment, the traffic is forwarded towards the destination
  • The reverse traffic follows a similar path

 

Please refer here to learn more about securing Cloud WAN traffic between Amazon VPC with next-generation firewalls such as Cloud NGFW and VM-Series and understanding the  details on how to build for both single-Region and multi-Region networks, and how to configure the route tables for each.

 

Traffic Flow (Outbound)

In the deployment architecture below, we have the VPCs in the region connected to the Cloud WAN segment via attachments. Any outbound traffic towards the internet is inspected by the cloud NGFW within the security segment before being forwarded towards the destination on the internet. 

                   

Fig 2_Secure-AWS-Cloud-WAN-Traffic_palo-alto-networks.png

 

  • Based on the default route of the prod segment, the traffic is forwarded towards the cloud WAN 
  • From the prod segment in cloud WAN, the next hop is towards the security segment
  • The traffic is forwarded towards the cloud WAN attachment for the security segment 
  • The attachment route table forwards the traffic towards the cloud NGFW endpoint 
  • The traffic after the security checks reaches the endpoint again 
  • The cloud NGFW endpoint route table forwards the traffic to the NAT gateway 
  • The NAT gateway forwards the traffic towards IGW, towards the destination 

 

Please refer here to learn more about the centralized security aspects in Cloud WAN and securing egress traffic to the internet.  

 

Benefits of Cloud NGFW with Cloud WAN 

 

What’s more, by integrating Cloud NGFW with Cloud WAN, you can now protect your global networks’ traffic with these significant operational benefits:

 

  • Centralized architecture for security and global network - Cloud WAN provides a centralized architecture for a global AWS deployment. With Cloud NGFW security insertion, you can now have the best-in-class security for inter-region, intra-region and on-prem traffic towards cloud workloads
  • Consistent hybrid cloud security - You can use Panorama to extend your policy constructs and deliver comprehensive security using multiple firewalls for a global AWS network that extends across on-premises and cloud environments
  • Deployment flexibility - With simplified routing and management solution of cloud WAN, customers experience improved network performance for their consolidated global network. Cloud NGFW deployed within the security segment provides advanced security capabilities and threat protection to Egress, Ingress and East-West traffic is for this connected environment

 

This feature is now available in all VM-Series and Cloud NGFW supported AWS regions to help you realize these benefits in your AWS environment. You can also look at this brief demo video. To learn more, sign up for a 30-day free trial and visit the documentation and FAQ pages. As always, your feedback drives our feature roadmap and product development. Please contact us through your Palo Alto Networks support team if you have additional feedback or Cloud NGFW feature requests.

 

  • 3050 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels