- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Blog written by Meghna Muralinath, Matt Harms, and Kanthi Sarella
When deploying application workloads in the AWS environment, adhering to the principles of zero trust is essential. Beyond monitoring ingress/egress traffic, it's crucial to inspect inter VPC and inter-region traffic to stop the lateral spread of threats and align with security policies.
Palo Alto Networks is excited to announce the integration with the new AWS Cloud WAN service insertion feature. This integration allows you to seamlessly insert Palo Alto Networks software firewalls(Palo Alto Networks Managed Cloud NGFW or self-managed VM-Series firewalls) to inspect inter-VPC and inter-region AWS cloud WAN traffic.
Cloud WAN service insertion now streamlines the redirection of the following traffic flows to Palo Alto software firewalls for inspection, whether originating from the same or different segments:
Ensuring security compliance on different traffic flows is now achieved by defining simple policies. These policies facilitate the redirection of traffic to Palo Alto software firewalls configured as Network Functions Group (NFG) for inspection.
Applications in a single or multi-region need to communicate with each other to send, retrieve, store data or just stay in sync. Let's imagine our task is to secure the AWS environment shown below. Inspecting traffic to and from the applications at different boundaries is one milestone of zero trust. In addition to ingress and egress traffic all inter VPC traffic be it inter or intra region should be inspected by a firewall. For best in class security use Palo Alto’s software firewalls.
It is best practice to have Palo Alto Networks Software firewalls (Cloud NGFW or VM-Series) per region to inspect intra-region communication with minimum latency. Prior to the Cloud WAN service insertion feature, inter-region traffic required double inspection to maintain flow symmetry, once in the source and again in the destination region. Now service insertion allows deterministic single-hop inspection for inter-region traffic.
Applications are connected to cloud WAN core with cloud WAN attachments and connecting to the core network.
Separate applications by placing them in the same or different Network Segment. Applying different policies for inter and intra segment traffic irrespective of the region of the application.
VM-Series / CNGFW firewalls are connected to the Network Core and tagged to be in a Network Function Group (NFG).This can be done by using tags defined in the attachment policy.
If you haven't upgraded to a bigger screen after that picture, kudos on your screen-squinting stamina! Now, let's zoom in on a tiny slice of this deployment and see how Cloud WAN service insertion can work its magic and redirect traffic flows to the software firewall for inspection.
The table below summarizes the different applications whose traffic flows we will be securing and how they map to the Cloud WAN core.
A Netsec admin’s wishes come true - With service insertion, there's no need to worry about setting up or sharing routes to redirect traffic to the security VPC. Simply define the service insertion policies like the example shown below and watch the magic.
Let's overlay different traffic flows to the deployment and policies discussed and see how they are redirected for inspection:
Highlight: The application segments are strictly isolated with the security NFG being the only bridge. This required no route sharing.
2. Inter-region, inter-segment traffic: Follow the packet path marked (A) to (K) for traffic from a client in Spoke 1 VPC (Prod) in us-east-1 to a server in Spoke 4 VPC (Dev) in us-west-2. Traffic symmetry is established by appliance mode attachment for the Security VPCs and deterministic selection of regional security inspection VPCs by default region priority or explicitly preference in regional pairs in the Service Insertion policy.
Highlight: The inter-region, inter-segment traffic is inspected once by VM-Series in the NFG segment based on the single hop ‘send-via’ policy.
Management of the software firewalls: Customers can have a single management interface for all PAN firewalls deployed in different environments. There are two management options in common for both Cloud NGFW for AWS and VM-Series: Strata Cloud Manager (SCM) or Panorama.
Prior to Service Insertion, Security inspection VPC attachments were members of a Cloud WAN segment and could be configured to allow communication with other segments. This will affect management and monitoring of VM-Series instances in the VPCs of a NFG. This challenge is most pronounced if the management interfaces of the VM-Series instances do not have public IP addresses and/or Panorama is privately addressed. This can be overcome by establishing an alternative path to the management ENIs of the VM-Series instances through the use of private network constructs available in AWS. These include:
If Palo Alto Cloud NGFW (CNFGW) is chosen for traffic inspection, the NFG segment will be mapped to it during setup. The traffic flows will be very similar to the flows highlighted earlier in the blog. Overall topology
With security at the forefront of everyone's concerns, we aim to show through this blog how simple it is to redirect traffic for inspection using Palo Alto Networks software firewalls in AWS with Cloud WAN Service Insertion.
Experience the power of the partnership between AWS and Palo Alto Networks first hand! Join us at AWS re:Inforce 2024 to see how we can help you simplify your AWS security needs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
3 Likes | |
2 Likes | |
2 Likes | |
2 Likes |
User | Likes Count |
---|---|
6 | |
4 | |
3 | |
2 | |
2 |