How can I create Internet ingress and egress security patterns for AWS?
Customers grapple with VPC connectivity and security. Often, they start searching for one solution that solves their security needs for both internet ingress and egress requirements. In this write-up we will list out tried patterns for both use cases, and then, put it all together.
Internet Ingress Security
Incoming requests to a VPC from the internet are blocked by default. The VPC and its subnet’s route-tables need to be provided explicit routes to the AWS Internet Gateway (IGW) to enable ingress or egress. But beyond this, for ingress to work, EC2 instances need to be assigned a public IP address to receive any traffic.
Cloud architects need internet Ingress for two main use cases:
- Provide end-users (customers) access to cloud hosted applications and services. These services are primarily exposed via HTTP and HTTPS ports.
- Provide developers (employees and partners) access to compute and storage resources for software configuration and maintenance. This kind of access needs a much broader permissions to allow communication over SSH, SFTP, RDP etc.
In most cases, customers host most compute instances in private subnets (with no route to an IGW). They complement this with a few public subnets (with route to the IGW) that expose necessary services to the internet.
Let’s look at AWS recommends providing ingress security for end-user accessing your applications. AWS offers the Web Application Firewall (WAF) that protects web applications from common exploits. It even enables you to enforce custom web security rules. This WAF service is deployed with an application load balancer (ALB) that front-ends the compute instances residing a secure private subnet.
This architecture allows you to deploy customer facing web applications that are secured and load balanced:
There are many exciting features of the AWS WAF. More information on the service can be found here: https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/considerations.html
Now, let us see how you could provide secure access to your AWS instances for your developers, SREs and SysAdmins. The traditional approach has been to install a Linux or Windows jump host in the VPC’s public subnet. This approach has many security risks and issues like having to share certificate files.
The better alternative calls for a cloud native User VPN solution. Key considerations are:
- Profile-based user authorization.
- Multi-factor authentication (support for SAML, LDAP, OKTA etc.)
- Ease of use
- Logging for auditability (who accessed what and when?)
Internet Egress Security
When talking about egressing to the internet, most of the traffic is generated by cloud instances making API calls or patch downloads. This makes the traffic destinations deterministic, meaning, there are finite number of domain names and IP addresses that need to be allowed to egress. This give us the opportunity to handle egress at the VPC level and handle egress filtering in a distributed fashion close to the source of the data.
Aviatrix egress security is an AWS recommended solution that makes Domain Name (FQDN) based filtering very easy. Aviatrix also handles non-http/https calls. That means you can easily block ftp/sftp traffic in addition to other ports and protocols. This architecture is represented in the diagram below. The Aviatrix NAT gateways in each VPC provides the egress filtering.
There are other design patterns that allow you to service chain with traditional firewalls running in AWS or other clouds. To learn more about these options, please visit: https://docs.aviatrix.com/HowTos/transitvpc_designs.html
Further discussion on egress filtering is available on the AWS answers page as well: https://aws.amazon.com/answers/networking/controlling-vpc-egress-traffic/
Putting it all together
Internet ingress and internet egress requirements and different and their design considerations need to be handled separately as well. Putting a general purpose firewall to handle both will not work in terms of functionality or scale.
Let’s take the above patterns and put it together to see what a basic Cloud internet security framework looks like:
If you have any comments or questions, please send an email to : [email protected]