01-29-2020 08:41 AM
I'm just wondering if anyone setup a DMZ on Transit firewalls in Transit VPC on AWS? Basically we need to have outbound to inbound NAT rule with a elastic ip address. Came across this link but not sure if this is the proper way of doing it. We would like achieve this through a dedicated VSYS but open for different options.
01-29-2020 08:54 AM
We would typically recommend a different set of firewalls for inbound traffic outside of the Transit Firewalls. They would then either sit in the VPC with the application or connected to the VPCs via a peering link. This is to alleviate the fact that Transit VPC firewalls are active/passive in terms of routing load and an inbound design is active/active resulting in a possible overloaded firewall.
Knowing that this is not always feasible. You can use a public-facing ALB/NLB in front of the firewalls and then SNAT to address that has been distributed via BGP to the spokes. This would either be one of the Ethernet addresses or a loopback. Do not SNAT to the tunnel address as they are not fault-tolerant on a tunnel failure.
02-03-2020 07:41 AM
@jmeurer Do you happen to have the documentation or link which could guide me on your purposed solution?
02-03-2020 07:57 AM
There is nothing public-facing that directly lines up. This is more of a blending of a couple of designs. It would be beneficial to engage with your account team to have a more tailored conversation to your specific needs.
02-05-2020 04:31 AM
@jmeurer On the page 12 of the aws-transit-vpc-model-deployment-guide there is a way to create an inbound NAT on Transit firewalls. My question is how can you ensure that same elastic ip address is failed over to the other firewall just in case if it looses connectivity the subscriber VPC which is being used for destination NAT. We would like to leverage our existing Transit VPC setup to see if it fulfills our needs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!