How to secure DMZ and Internal traffic inside AWS Concept

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to secure DMZ and Internal traffic inside AWS Concept

L2 Linker

Hi all,

 

First, I 'm pretty with AWS...

VPC is configured in the range 10.0.0.0/16.

I have a firewall (PA VM) deployed with 3 interfaces (Untrust, DMZ, Trust).

Untrust: 10.0.0.0/24, Internal : 10.0.1.0/24 (FW.1) , DMZ : 10.0.99.0/24 (FW.1).

I created 3 Routing tables for each zone and assign each subnet into the RT.

I changed the default route for routing table DMZ and Internal, pointing to the FW.

 

Because each routing table (focusing on DMZ and Trust here) has a default entry (10.0.0.0/16) pointing to local that cannot be changed, it's possible to pass traffic from DMZ to Internal WITHOUT traversing the firewall.

I created two self referencing security group (SG-TRUST and SG-DMZ) and assign it to each ENI (FW ENI and host ENI).

Now traffic is blocked (so bypassing fw is not possible anymore) but routes needs to be added on each host to pass traffic from Trust to DMZ (and reverse)

 

ON DMZ Host

10.0.1.0/24 gw 10.0.1.99.1 (FW)

 

ON Internal Host

10.0.99.0/24 gw 10.0.1.1 (FW)

 

Is it possible to avoid creating this static routes on the host and force traffic to traverse the firewall (configuration on the routing table) ?

 

Regards,

 

HA

1 REPLY 1

L4 Transporter

AWS does not allow of the addition of more specific routes in a VPC.  Due to this, you would typically look at a multi-VPC model to achieve east-west inspection between instances.  We have examples of these types of deployments in our AWS reference architecture.

 

https://www.paloaltonetworks.com/resources/reference-architectures/aws

  • 4331 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!