December 03, 2019 By BlueAlly
By Jonathan Maresky, Product Marketing Manager, CloudGuard IaaS, published Dec 3, 2019
One of the most impressive things about Amazon Web Services (AWS) is the customer-obsessed gene it inherited from its parent company. I learned this in person a few times in my earlier collaborations with AWS.
On one occasion, I asked a general manager to explain their strategy and plans for one of the development areas and was told “wait and see. We announce our plans on stage at AWS re:Invent or at AWS Summits, in front of our customers, and generally with a launch customer on stage together with us”.
On another occasion, I requested an enhancement to a particular feature that would be of great benefit to my company at the time, an AWS Partner Network (APN) member. The response was “find real AWS customers that need this enhancement and then ask me again. We make changes based on real customer needs. A partner request is not sufficient justification”.
The Amazon Virtual Private Cloud (VPC) Ingress Routing enhancement to Amazon VPC, announced at AWS re:Invent 2019 this week, is a perfect example of this customer focus.
Amazon VPC Ingress Routing is a service that helps customers simplify the integration of network and security appliances within their network topology. With Amazon VPC Ingress Routing, customers can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require within their Amazon VPC.
Before this enhancement, routing tables could be specified for subnets inside a VPC but not for traffic entering that VPC. As a result, manipulations and workarounds were required in order to redirect traffic coming into the VPC, especially for deploying network security, traffic inspection and advanced threat prevention.
Larger customers with bigger deployments normally use AWS Transit Gateway for routing this inbound traffic. But AWS Transit Gateway can be too much for smaller customers with fewer VPCs.
And this is where Amazon VPC Ingress Routing will be beneficial: the enhancement provides an easier, more natural, more elegant and flexible way to control and redirect traffic coming into the VPC, generally for the purpose of network security and advanced threat prevention.
Check Point CloudGuard IaaS is an integration partner for this new capability.
In order to test the integration, Check Point’s R&D team successfully deployed the following architecture using Amazon VPC Ingress Routing Enhancement:
The architecture used to test the integration between Amazon VPC Ingress Routing and CloudGuard IaaS
The CloudGuard IaaS (CGI) security gateway is deployed in a separate subnet, with secondary ENIs in each protected subnet.
The Internet Gateway forwards all the traffic destined to the protected subnets via the CGI primary ENI.
Using CloudGuard Controller, the CGI can import all AWS objects, e.g. subnets and instances, and create a security policy accordingly.
The CGI security policy can define different security rules to each AWS object or to a group of objects according to a common AWS tag.
For example, the CGI security policy can:
- Perform extended IPS inspection on traffic going to SN-1
- Perform Source NAT on traffic outgoing to the internet from SN-2
- Block all traffic coming from the internet to instances with the tag “external: block”
And so on.
After the traffic is inspected by the CGI, it is forwarded to the desired instance in the protected subnet via the secondary ENI in that subnet.
When the instance replies, the response is sent back to the CGI ENI in the same subnet, and then forwarded by the CGI to the Internet Gateway via the CGI primary ENI.
And everything functions as expected. Watch the short demo video here.
Check Point management was equally impressed by the integration:
“Our enterprise customers generally use AWS Transit Gateway for deploying Checkpoint CloudGuard advanced threat prevention, but we needed a solution that is more suitable for small and medium customers with a limited number of VPCs”, said Zohar Alon, Head of Cloud Products at Check Point Software. “Amazon VPC Ingress Routing provides customers with smaller deployments with an easier, more efficient and more natural way to redirect traffic flowing into a VPC for advanced security”.