Simplify Security in AWS with Palo Alto Networks Software Firewalls and AWS Cloud WAN Service Insertion

Blog written by Meghna Muralinath, Matt Harms, and Kanthi Sarella

When deploying application workloads in the AWS environment, adhering to the principles of zero trust is essential. Beyond monitoring ingress/egress traffic, it's crucial to inspect inter VPC and inter-region traffic to stop the lateral spread of threats and align with security policies. 

Palo Alto Networks is excited to announce the integration with the new AWS Cloud WAN service insertion feature. This integration allows you to seamlessly insert Palo Alto Networks software firewalls(Palo Alto Networks Managed Cloud NGFW or self-managed VM-Series firewalls) to inspect inter-VPC and inter-region  AWS cloud WAN traffic. 

Cloud WAN service insertion now streamlines the redirection of the following traffic flows to Palo Alto software firewalls for inspection, whether originating from the same or different segments:

1. Inter-VPC traffic. In the same or across regions (inter and intra segment)
2. Traffic to and from AWS infrastructure destined for the public internet.
3. Traffic to and from AWS infrastructure, on-premises data centers, remote office branch offices (ROBO), and other environments.

Ensuring security compliance on different traffic flows is now achieved by defining simple policies. These policies facilitate the redirection of traffic to Palo Alto software firewalls configured as Network Functions Group (NFG) for inspection.

Applications in a single or multi-region need to communicate with each other to send, retrieve, store data or just stay in sync. Let's imagine our task is to secure the AWS environment shown below. Inspecting traffic to and from the applications at different boundaries is one milestone of zero trust. In addition to ingress and egress traffic all inter VPC traffic be it inter or intra region should be inspected by a firewall. For best in class security use Palo Alto’s software firewalls.  

It is best practice to have Palo Alto Networks Software firewalls (Cloud NGFW or VM-Series) per region to inspect intra-region communication with minimum latency. Prior to the Cloud WAN service insertion feature, inter-region traffic required double inspection to maintain flow symmetry, once in the source and again in the destination region.  Now service insertion allows deterministic single-hop inspection for inter-region traffic.    

Applications are connected to cloud WAN core with cloud WAN attachments and connecting to the core network. 

Separate applications by placing them in the same or different Network Segment. Applying different policies for inter and intra segment traffic irrespective of the region of the application. 

VM-Series / CNGFW firewalls are connected to the Network Core and tagged to be in a Network Function Group (NFG).This can be done by using tags defined in the attachment policy.

If you haven't upgraded to a bigger screen after that picture, kudos on your screen-squinting stamina! Now, let's zoom in on a tiny slice of this deployment and see how Cloud WAN service insertion can work its magic and redirect traffic flows to the software firewall for inspection. 

The table below summarizes the different applications whose traffic flows we will be securing and how they map to the Cloud WAN core.  

A Netsec admin’s wishes come true - With service insertion, there's no need to worry about setting up or sharing routes to redirect traffic to the security VPC. Simply define the service insertion policies like the example shown below and watch the magic.

Let's overlay different traffic flows to the deployment and policies discussed and see how they are redirected for inspection:

1. Outbound traffic from the application- Follow the packet path marked (A) to (K) for traffic from a  client in Spoke1 VPC to a server on the internet

1. Packet leaves workload to VPC Routing.  Traffic is sent to the Core Network attachment of Spoke 1 VPC.
2. Packet enters Core Network in segment of Spoke 1 (Prod Segment).  Traffic matches Service Insertion send-to (Internet Egress) policy.  Packet is sent to forwarded to Inspection Network Function Group
3. Packet enters region local NFG VPC.  Traffic is forward to Availability Zone (AZ) local Gateway Load Balancer Endpoint (GWLBE).
4. Packet is transmitted via PrivateLink to Gateway Load Balancer (GWLB)
5. GWLB selection healthy VM-Series instance and encapsulates original packet in GENEVE header that includes that identifier of the GWLBE that received it.
6. The selected VM-Series instance receives the encapsulated packet and applies security policy to the inner packet.  if allowed the  packet is returned to the GWLB in a GENEVE packet.
7. The GWLB receives the packet and uses the GENEVE header to send the packet to the GWLBE that originally received the packet.
8. The packet leaves the GWLBE and a VPC routing is referenced to send the packet to the AZ local NAT Gateway
9. The packet is received by the NAT Gateway.  Source NAT is applied with the private IP of the NAT Gateway. VPC routing sends the packet to the Internet Gateway (IGW)
10. Source NAT is applied to the packet with the public Elastic IP of the NAT Gateway
11. The listener on the server receives the packet

Highlight: The application segments are strictly isolated with the security NFG being the only bridge. This required no route sharing. 

2. Inter-region, inter-segment traffic: Follow the packet path marked (A) to (K) for traffic from a client in Spoke 1 VPC (Prod) in us-east-1 to a server in Spoke 4 VPC (Dev) in us-west-2.  Traffic symmetry is established by appliance mode attachment for the Security VPCs and deterministic selection of regional security inspection VPCs by default region priority or explicitly preference in regional pairs in the Service Insertion policy.

1. Packet leaves workload to VPC Routing.  Traffic is sent to the Core Network attachment of Spoke 1 VPC.
2. Packet enters Core Network in segment of Spoke 1 (Prod Segment).  Traffic matches Service Insertion send-via policy for Prod to Dev traffic.  Route lookup is performed in the Prod segment in the source region (us-east-1).  Packet is forwarded to Security 1 VPC in us-east-1 based on region priority.
3. Packet enters region local NFG Security VPC in the AZ that was selected by the appliance mode configuration.  The AZ Attachment VPC Route table routes the traffic to the AZ local GWLBE. 
4. Packet is transmitted via PrivateLink to Gateway Load Balancer (GWLB)
5. GWLB selection healthy VM-Series instance and encapsulates original packet in GENEVE header that includes that identifier of the GWLBE that received it.
6. The selected VM-Series instance receives the encapsulated packet and applies security policy to the inner packet.  if allowed the  packet is returned to the GWLB in a GENEVE packet.
7. The GWLB receives the packet and uses the GENEVE header to send the packet to the GWLBE that originally received the packet.
8. The packet leaves the GWLBE and a VPC routing is referenced to send the to the Security VPC attachment to the Core Network
9. The packet enters the Core Network in the Inspection NFG.  A route lookup is performed and the packet is sent to Spoke 4 VPC attachment in the us-west-2 region.
10. Upon entering Spoke 4 the VPC route table of the attachment subnet is used to forward the traffic to the server
11. The server receives the packet from the client

Highlight: The inter-region, inter-segment traffic is inspected once by VM-Series in the NFG segment based on the single hop ‘send-via’ policy.

Management of the software firewalls: Customers can have a single management interface for all PAN firewalls deployed in different environments. There are two management options in common for both Cloud NGFW for AWS and VM-Series: Strata Cloud Manager (SCM) or Panorama. 

1. Strata Cloud Manager is a SaaS management engine. The management and policy definition can be done on a customer’s own tenant. Cloud NGFW for AWS and VM-Series instances communicate with SCM on the public Internet.  
2. Panorama is a customer operated management system that can be deployed on virtual or physical appliances. The virtual form factor can be deployed in public or private clouds.  

Prior to Service Insertion, Security inspection VPC attachments were members of a Cloud WAN segment and could be configured to allow communication with other segments.  This will affect management and monitoring of VM-Series instances in the VPCs of a NFG.  This challenge is most pronounced if the management interfaces of the VM-Series instances do not have public IP addresses and/or Panorama is privately addressed.  This can be overcome by establishing an alternative path to the management ENIs of the VM-Series instances through the use of private network constructs available in AWS. These include:

• Site to Site VPNs via a VPN Gateway associated with the Security VPC
• VPC Peering with the Security VPC
• VPC attachment to a Transit Gateway with Site to Site VPNs or Direct Connect circuits
• The management interface of the VM-Series EC2 instances in a management VPC that is independent of the Security VPC through the use of Multi-VPC ENIs

If Palo Alto Cloud NGFW (CNFGW) is chosen for traffic inspection, the NFG segment will be mapped to it during setup. The traffic flows will be very similar to the flows highlighted earlier in the blog. Overall topology 

With security at the forefront of everyone's concerns, we aim to show through this blog how simple it is to redirect traffic for inspection using Palo Alto Networks software firewalls in AWS with Cloud WAN Service Insertion.

Experience the power of the partnership between AWS and Palo Alto Networks first hand! Join us at AWS re:Inforce 2024 to see how we can help you simplify your AWS security needs.