AWS Transit Gateway: VPC-to-Internet and VPC-to-VPC(E-W) L4-L7 traffic control with Advanced Threat Prevention via Automated Deployment of CloudGuard IaaS with AWS TGW
I was recently tasked with a re-architecture of a two year old Transit VPC security environment at one of my client’s AWS Public Cloud infrastructure. This was right after AWS re:Invent 2018. Nick Matthews, Principal Architect for AWS Transit Gateway had a reference architecture session about this new technology AWS announced. You can watch here.
Well, AWS Transit Gateway serves as a central hub for all network connectivity for virtual private clouds(VPC) and on-premise networks, it also replaces the requirement for a previous Transit VPC solution in most cases, especially with recently announced Direct Connect.
Based on company security posture, risk and compliance requirements, we chose securing the Spoke VPC’s that attach to AWS Transit Gateway using CloudGuad IaaS Next-Gen Security Gateways from Check Point.
In this case, The new Transit Gateway is comprised of 3 elements:
- VPC spokes hosting client servers and applications
- AWS VPC Transit Gateway
- CloudGuard IaaS gateways, the AWS transit gateways through the ROUTE DOMAINS.
The first ROUTE DOMAIN is the Spoke Route Table, the Spoke Route Table is attached to each of the Spokes
It propagates its routes over to Check Point VPN.
What this means, is, the packets traveling from VPC Spokes reach the TGW and are routed through to the Check Point VPN tunnels.
The second ROUTE DOMAIN — SECURITY route domain — Check Point security route domain is attached to CP VPN tunnels, its associated to tunnels and it will propagate the routes to the VPC, that means when the packet travels from the CP CG IaaS reach of the TGW, and then distributed to different spoke via its CIDR address
VPC connections are propagated and VPN connections are associated with the Transit Gateway via a Transit Gateway Attachment, with this architecture, traffic from On-Premise networks can be directed to any other network attached to the Transit Gateway as long as route table entries are there.
Check Point CloudGuard for AWS easily extends comprehensive Threat Prevention security to the AWS cloud and protects assets in the cloud from attacks, and at the same time enables secure connectivity.
CloudGuard IaaS lets you enforce consistent Security Policies across your entire organization. It protects data between the corporate network and the Amazon VPC. CloudGuard IaaS inspects data that enters and leaves the private subnet in the Amazon VPC to prevent attacks and mitigate data loss or leakage. CloudGuard IaaS protects services in the public cloud from the most sophisticated threats, unauthorized access, and prevents application layer Denial of Service (DoS) attacks. Source: https://www.checkpoint.com/products/iaas-public-cloud-security/
Check Point CloudGuard for AWS meets organizational cloud security needs:
- Automatically deployed tags-based IPsec VPN between AWS Transit Gateway and the security VPC.
- Automatic configuration of AWS VPN Gateways on spoke VPCs. This includes planning of IP addresses to prevent subnet IP address conflicts.
- Next Gen Firewall with Application Control, Data Awareness, HTTPS Inspection, NAT, and logging.
- IPS and virtual patching of cloud resources.
- URL Filtering for Internet-bound traffic.
- Anti-Bot and Anti-Virus, and Zero-day Threat Emulation and Threat Extraction.
- Remote Access VPN to connect remote clients.
- IPsec VPN for VPC-to-VPC, and VPC-to-on-premises connections with optional Direct Connect support.
- High Availability deployment.
- Automated solution deployment with CloudFormation Template.
More documentation and step-by-step deployment document can be found here:
AWS Transit Gateway removes the need to configure peering connections between VPCs that need to communicate. Instead, each individual VPC is associated with the Transit Gateway using a Transit Gateway Attachment, as shown in Image 4. The Transit Gateway Routing Table (also shown in Image 4) contains a complete list of all VPCs and VPNs associated with the Transit Gateway and their respective Transit Gateway Attachments. Within the routing tables associated with a particular VPC subnet (example shown in Image 5), traffic destined for another VPC’s CIDR range is simply directed towards the source VPC’s Transit Gateway Attachment. Once traffic reaches the Transit Gateway via that attachment, the Transit Gateway Route Table is used to determine which attachment to use to send the traffic to its final destination. Although VPN traffic is limited to a 1.25 Gbps bandwidth per VPN tunnel, Transit Gateway includes Equal Path Multi-Cost (ECMP) routing support. Assuming the other end of the VPN connection supports ECMP, traffic can be equally distributed between any number of VPN connections to scale the effective bandwidth.
In addition to making it easier to interconnect VPCs, AWS Transit Gateway removes the cross availability-zone data charges that exist when utilizing VPC peering connections. Instead, AWS Transit Gateway charges a flat fee per Transit Gateway attachment and then per GB of data that flows through the Gateway, regardless of source and destination. Information on Transit Gateway pricing can be found here.
AWS actually published some tools to migrate from old Transit VPC to new Transit Gateway service(needs to be carefully prepared and designed).