Today Amazon Web Services (AWS) announced a new networking enhancement called Amazon Virtual Private Cloud (Amazon VPC) Ingress Routing. Amazon VPC Ingress Routing is a service that helps customers simplify the integration of network and security appliances within their network topology. With Amazon VPC Ingress Routing, customers can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require within their Amazon VPC.
In this blog, we highlight how taking an architectural approach for enterprise cloud networking and security allows network engineering teams to more rapidly take advantage of new features as soon as they are released by AWS or other providers – using simple orchestration and with full operational visibility. We also highlight in this blog a use case that takes direct advantage of the new Amazon VPC Ingress Routing to strengthen your cloud security posture.
First, let’s step back and understand the benefit of an architectural approach rather than rushing directly into cutting, hammering and covering everything with sheet rock. If you’ve ever done a remodel or built a house, you know the value of architecture. And, if you’ve ever covered a wall with sheet rock and painted it before the plumbing or the electrical wiring was accurately in place according to the plans, you have an even deeper appreciation for the value of architecture…not so different for enterprise cloud network architecture. But, the on-premises architecture that network infrastructure engineers have built out for decades must be re-invented for public cloud. The building materials have changed, the foundation has changed, the construction codes and methods have changed, you get the picture.
So, what’s all this have to do with Amazon VPC Ingress Routing?
As mentioned above Amazon VPC Ingress Routing is a new enhancement from AWS, it’s like a new building material. It’s important to consider how new materials fit into your architecture. How does it interact with or strengthen your infrastructure design? Does it add complexity? Will it introduce manual processes that impact agility or speed, or can it be easily orchestrated and controlled? How easily can the new enhancement or construct be linked with other constructs and services to increase overall simplicity, security and operational visibility across your cloud infrastructure?
Aviatrix + Amazon VPC Ingress Routing – An Embrace and Extend Architecture for Enterprise Clouds
Aviatrix software helps organizations implement an architecture that includes an intelligent orchestration and control service that fully embraces native cloud constructs and enhancements such as the new Amazon VPC Ingress Routing feature. Amazon VPC Ingress Routing can be automated and programmatically launched via the Aviatrix Controller. Launching Amazon VPC Ingress Routing via Aviatrix allows the routing table associated with the Amazon VPC Ingress Routing enhancement to be an object under management of the Aviatrix Controller. This makes it possible for Aviatrix to update the routing table and direct traffic to in-line services, resident in the VPC for monitoring, inspection, filtering or other service processing. Keep reading to find out how Aviatrix goes beyond the intelligent orchestration and control for deployment and ongoing operations to empower real-world customer use cases.
Customer Use Case – Orchestrate advanced filtering based on Amazon GuardDuty continuous threat intelligence.
In this customer use case, Aviatrix takes full advantage of the Amazon VPC Ingress Routing Enhancement, combining it with Aviatrix Gateway’s advanced filtering capabilities and Amazon GuardDuty’s continuous threat intelligence. Leveraging programmatic access to Amazon GuardDuty’s identified and prioritized threat intelligence, the Aviatrix Controller programs an inline, VPC resident Aviatrix Gateway to filter traffic that meets or exceeds a customer defined threat level.
GuardDuty detects unusual API calls, suspicious outbound communications to known malicious IP addresses, or possible data theft using DNS queries as the transport mechanism. Aviatrix programmatically pulls this threat intelligence uses it to build dynamic filtering rules to protect against account compromise, instance compromise, data exfiltration and malicious reconnaissance.
This use case highlights how customers building on an Aviatrix MCN architecture have the ability to quickly embrace new AWS constructs, network enhancements and services and easily extend them with Aviatrix’s advanced networking and security services then combine them with other vital AWS native services.