AWS Transitive Peering – Deep Packet Inspection w/ Palo Alto Firewalls
AWS Transitive Peering
The term transitive peering is used to describe a virtual network created in the cloud that allows interconnection between virtual private clouds (VPCs).
Why use a transitive network?
This option is best suited for deployments with the following use case/requirements:
- AWS resources in spoke VPCs need access to a wide variety of on-premises infrastructure
- The required on-premises resources are extremely difficult to replicate or proxy (e.g., proprietary mainframe protocols)
- They are implementing a hybrid architecture with complex network-routing requirements
- Their security or compliance programs require additional network-based monitoring or filtering between AWS and on-premises resources (e.g.d Network Intrusion Detection Systems or next-generation firewalls)
This design pattern creates dynamically routed VPN connections between spoke VPC VGWs and VPN appliances in the transit VPC, and again between these appliances and on-premises network equipment. Note that in the diagram to the right, all communication with the VPN appliances (including the VPN connection between the corporate data center and the transit VPC) uses the transit VPC Internet Gateway and Elastic IP addresses. This design uses VPN connections, rather than VPC peering, to connect to the transit VPC because VPC peering does not support transitive routing. The best practice for making this transit network highly available and scalable is to use dynamically routed VPN connections. Additionally, AWS highly recommends the use of Auto Recovery for EC2 or Auto Scaling for automatic recovery of failed EC2-based VPN instances.
In addition to providing direct network routing between VPCs and on-premises networks, this design also allows the transit VPC to implement more complex routing rules, such as network address translation between overlapping network ranges, or to add additional network-level packet filtering or inspection.
Palo Alto Transitive Peering – Compliance & Threat Management
In order to meet industry compliance standards in financial, government, and other regulated industries, a central point for threat management and intrusion detection is required. Palo Alto firewalls provide next gen capabilities that include threat management tools, a FIPS compliant mode (Federal Information Processing Standards), IDS/IPS (Intrusion Detection/Prevention System), application signature based control lists, and detailed logging, and exploit protection.
For entities that require additional boundary inspections and compliance, like the DoD, a transitive network with deep packet inspections are required. For example, the DISA CAP (Cloud Access Point), that is required for IL 4/5 (Impact Level 4/5) workloads, is best accessed by a transitive VPC that contains Palo Alto Firewalls with routing configured to peer with DISA/AWS peering points. Redundancy can be created by deploying firewalls in multiple zones that reach back to VPCs utilizing VPN IPsec tunnels.
All external and internal VPC traffic would need to be routed through the VPN IPsec tunnels and give the Palo Alto firewalls a full view of network security.
Transitive Peering Network Architecture
This diagram shows a single firewall controlling traffic for all VPCs in an AWS network.
A virtual port for each VPC allows individual VPN connections to be established and managed for routing, traffic rules, and threat management. This design does not include the redundant firewall as an option but it shows another zone for future expansion to support high availability. The limitations on how many VPCs connect to the Palo Alto firewall are dependent on the virtual machine that is deployed from the marketplace. VM100 series Palo Alto firewalls support up to 8 virtual ports to interconnect VPCs. Expansion would simply require more instances of firewalls.
Contact us for more information on how using Palo Alto firewalls in cloud deployments will help you meet compliance requirements.