AWS: Enabling Internet Access from Your VPC (Part 2)
This is a continuation of my previous post which gives 3 additional examples of connecting a VPC to the internet. Make sure to check it out as well.
Option 4 – Utilizing a Security-Appliance as a Gateway
While the other options discussed so far provide quick and fast access to the internet, they don’t provide the security measures likely required in an enterprise environment. As a matter of fact, with the previous examples, you’re basically limited to L2-L4, IP addresses (or ranges) and a port number for each rule. This approach, however, can enable security policies up through L7 and can be much more ‘in tune’ with what you typically see within an on-premises deployment behind a traditional L7 firewall (Palo Alto, Sophos, Cisco, etc). These appliance instances are typically found and launched from the AWS Marketplace which clearly define details about the software, instance type, and costs.
One of the benefits of using an appliance from the AWS Marketplace, or a vendor of your choice, include the ability utilize familiar user interfaces and configuration tools (don’t have to learn something completely new). You can also get real-time logging of traffic traversing the appliance – this is key for maintaining compliance with things like PCI, SOX, etc. This is particularly important considering that AWS doesn’t offer you to view traffic logs without a support ticket.
While this approach provides there are a few quick points that need to be taken into consideration:
- While this option is more flexible, it generally requires more ‘advanced’ networking, including routes, NAT, managing multiple EIPs(public) and ENIs(private).
- It should be noted that appliances generally have their own costs (software costs) in addition to the costs associated with running the actual instance within EC2. Many appliances have minimum requirements which can prevent you from running the cheaper instance.
- EC2 instances are bound to a single subnet, which is bound to a single Availability Zone, which is a single datacenter. To deploy a redundant solution, make sure to deploy multiple appliances in separate Availability Zones.
- If clustering isn’t supported by the appliance (which it probably won’t be), you’ll need to use advanced monitoring (use CloudWatch) to kick off route changes (use Lambda) in the event the primary appliance goes down.
This use case is very similar to the NAT instance, however, the security appliance would be running in place of the NAT instance.
- Assign Internet Gateway to your VPC
- From the AWS Marketplace, launch appropriately sized instance.
- Disable Source/Destination Check by selecting the instance, choose Actions, Networking, Change Source/Destination Check
- The instance will not show up as a route target unless this is disabled.
- Configure routing table used for instances with a default route (0.0.0.0/0) pointing to the Appliance (note that some may have an internal & external interface – choose wisely)
- Configure routing table used for Appliance with a default route (0.0.0.0/0) pointing to the Internet Gateway (listed as igw-xxxx)
- Configure the Appliance for NAT and apply proper security rules within the Appliance.
- Ensure security groups allow outbound traffic over desired ports to the Appliance
Option 5 – Routing Back Through On-Premises
In some cases, the easiest way to gain internet access is to simply route all internet bound traffic back to your on-premises infrastructure rather than utilizing an EIP or NAT Gateway. In many cases, especially for administrators who aren’t necessarily comfortable with advanced networking or VPCs yet, this may be the simplest of options for quick access to external resources. There are many reasons one might want to use this option including:
- You already have a substantial investment in physical security appliances and you don’t want to invest in cloud-based solutions (or your requirements can’t be met in existing solutions)
- You are only using AWS for workloads with short lifecycles which don’t make sense to put on-premises
- Required external services are secured by an IP whitelist from your on-premises datacenter(s)
Steps to Configure Option 5:
- Configure routing table utilized for resources to with a default route (0.0.0.0/0) to point to your VPN Gateway (vgw-xxxx) or Direct Connect
- Ensure security groups assigned to resources allow required ports outbound (default is Allow all Outbound traffic)