First, I 'm pretty with AWS...
VPC is configured in the range 10.0.0.0/16.
I have a firewall (PA VM) deployed with 3 interfaces (Untrust, DMZ, Trust).
Untrust: 10.0.0.0/24, Internal : 10.0.1.0/24 (FW.1) , DMZ : 10.0.99.0/24 (FW.1).
I created 3 Routing tables for each zone and assign each subnet into the RT.
I changed the default route for routing table DMZ and Internal, pointing to the FW.
Because each routing table (focusing on DMZ and Trust here) has a default entry (10.0.0.0/16) pointing to local that cannot be changed, it's possible to pass traffic from DMZ to Internal WITHOUT traversing the firewall.
I created two self referencing security group (SG-TRUST and SG-DMZ) and assign it to each ENI (FW ENI and host ENI).
Now traffic is blocked (so bypassing fw is not possible anymore) but routes needs to be added on each host to pass traffic from Trust to DMZ (and reverse)
ON DMZ Host
10.0.1.0/24 gw 10.0.1.99.1 (FW)
ON Internal Host
10.0.99.0/24 gw 10.0.1.1 (FW)
Is it possible to avoid creating this static routes on the host and force traffic to traverse the firewall (configuration on the routing table) ?
AWS does not allow of the addition of more specific routes in a VPC. Due to this, you would typically look at a multi-VPC model to achieve east-west inspection between instances. We have examples of these types of deployments in our AWS reference architecture.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!