Centralized inbound inspection with third-party appliances - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

Centralized inbound inspection with third-party appliances

In this architectural design pattern, you deploy third-party firewall appliances on Amazon EC2 across multiple availability zones behind an Elastic Load Balancer (ELB) such as an Application/Network Load Balancer in a separate Inspection VPC.

The Inspection VPC along with other Spoke VPCs are connected together through a Transit Gateway as VPC attachments. The applications in Spoke VPCs are frontend by an internal ELB which can be either ALB or NLB depending on the application type. The clients over the internet connect to the DNS of the external ELB in the inspection VPC which routes the traffic to one of the Firewall appliances. The Firewall inspects the traffic and then routes the traffic to the Spoke VPC through Transit Gateway using the DNS of the internal ELB as shown in the following figure. For more information regarding inbound security inspection with third-party appliances, refer to the How to integrate third-party firewall appliances into an AWS environment blog post.

A diagram depicting centralized ingress traffic inspection using third-party appliances and ELB

Centralized ingress traffic inspection using third-party appliances and ELB

Advantages

  • This architecture can support any application type for inspection and advanced inspection capabilities offered through third-party firewall appliances.

  • This pattern supports DNS based routing from firewall appliances to spoke VPCs, which allows the applications in Spoke VPCs to scale independently behind an ELB.

  • You can use Auto Scaling with the ELB to scale the firewall appliances in the Inspection VPC.

Key considerations

  • You need to deploy multiple firewall appliances across Availability Zones for high availability.

  • The firewall needs to be configured with and perform Source NAT in order to maintain flow symmetry, which means the client IP address won’t be visible to the application.

  • Consider deploying Transit Gateway and Inspection VPC in the Network Services account.

  • Additional third-party vendor firewall licensing/support cost. Amazon EC2 charges are dependent on instance type.