Deploy AWS Network Firewall on Multi-VPC environment with open source tools (P1)

Multi-account AWS environment

Each AWS account is a resource container for AWS Cloud services, an explicit security boundary, a container for cost tracking and billing and a mechanism to enforce service quotas and API threshods. An account acts as an identity and access management isolation boundary.

First, we begin by building resources in a single AWS account that represents a management boundary which segments permissions, costs, and services. However, as the customer’s organization grows, greater segmentation of services becomes necessary to monitor costs, control access, and provide easier environmental management. A multi-account solution solves these issues by providing specific accounts for specific services and users within an organization.

Separating your resources into separate AWS accounts helps you to support the following principles in your cloud environment:

• Potential risks and security threats should be contained within an AWS account without affecting others
• Centrally provision accounts and resources
• Share resources and control access
• Optimize cost, Multiple accounts help separate items at a billing level across business units, functional teams, or individual users.
• Secure and audit your environment for compliance. Different applications can have different security profiles, requiring different control policies and mechanisms around them
• Separating workloads into different AWS accounts prevents them from consuming quotas for each other.

Use cases:

• Innovate with exclusive resources for each team
• Organize AWS accounts
• Simplify billing
• Tight security boundaries

Networking with Multi-VPC on AWS

Deploying resources and applications on a multi-account environment means that there will be multiple VPCs in the same or multiple accounts.

At the first time, we begin with a few VPCs to deploy our infrastructure. The number of VPCs is usually related to our number of accounts, users, and staged environments (production, development, test, and so on). As cloud usage grows, the number of users, business units, applications, and Regions that we interact with also grow, leading to the creation of new VPCs

• Below is the Multi-account, multi-VPC architecture networking with AWS Transit Gateway and Network Firewall

An indispensable component to connect VPCs is the Transit Gateway. Transit Gateway is a Regional resource and can connect thousands of VPCs within the same AWS Region. You can create multiple Transit Gateway instances per Region, and you can connect to a maximum of three Transit Gateway instances over a single Direct Connect connection for hybrid connectivity. Typically, you can use just one Transit Gateway instance connecting all your VPC instances in a given Region, and use Transit Gateway routing tables to isolate them wherever needed.

How Transit Gateway works with Multi-VPC

• A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks.

• Transit gateway attachments that describe source and destination of packets are created and attached to Transit Gateway.

Hub & Spoke model

• To allow the integration, a Transit Gateway will be deployed between these new VPCs and a Direct Connect will be created to connect to AWS. Proper rules have to be create to avoid connections across the environments; the only connection possible will be to other environments (i.e. Dev, Usertest, and Staging must not be able to connect to Production, but only to connect to Corporate, onprem or other cloud provider)

• The connectivity between each VPC need to be blocked. In order to that, we are going to use x 02 Transit Gateway Routable, it called by Isolation router, all attachments associated with an isolated router propagate and associate with its route table. Attachments associated with one isolated router can route packets to each other, but cannot route packets to or receive packets from the attachments for another isolated router. It means for example: Packets from a VPC that have a destination of a subnet in another VPC, for example from 10.100.0.0/16 - Prod to 10.102.0.0/16, route through the transit gateway, where they are blocked because there is no route for them in the transit gateway route table. The traffic still through to 2 route table.

Transit Gateway Route Table

• Transit Gateway attachments

• Associate with the route table

• Propagation

• Traffic flow

AWS Network Firewall

• Stateful, managed, network firewall and intrusion detection and prevention service.

• Automatically scales with your traffic, ensuring high availability with no additional customer investment in security infrastructure.

• Consistent policy management across VPCs and accounts.

• Key features :

• Resource types :

• How AWS Network Firewall protects resources :

• Deployment model : Distributed, Centralized, Combined.

to be continued...🐧