AWS TGW Reference Architectures for Multi-VPC - 4/5 - East-West Traffic ~ 快快樂樂的Peter (Happy Peter)

AWS TGW Reference Architectures for Multi-VPC - 4/5 - East-West Traffic

East-west traffic, or traffic between VPCs, flows through the NGFW in the security VPC.

The architecture will share 5 topics:

1. AWS TGW Reference Architectures for Multi-VPC - 1/5 - Brief

2. AWS TGW Reference Architectures for Multi-VPC - 2/5 - Inbound Traffic

3. AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic

4. AWS TGW Reference Architectures for Multi-VPC - 4/5 - East-West Traffic

5. AWS TGW Reference Architectures for Multi-VPC - 5/5 - Backhaul to On-Premises Traffic

All Topology_v20211003(Need to wait for 30 sec to open the 5 web pages)

DOCUMENT CONVENTIONS:

Acronym:

Source IP: SIP

Source Port: SP

Destination IP: DIP

Destination Port: DP

AWS Elastic IP: EIP

GW: Gateway

==========East-to-West Traffic Flow==========

1. In the WEB VPC, the WEB_EC2-1 sends traffic to a service on the APP VPC.

This request is sent to a APP_ALB DNS. APP_ALB DNS returns an IP address for each of the load balancer’s enabled availability zones.

The WEB_EC2-1 OS picks an IP address and sends the traffic.

The route table (RT_WEB_EC2-1a) applied to the EC2’s subnet directs traffic to the TGW attachment (ATT_VPC_WEB) in its availability zone.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

2.This TGW attachment (ATT_VPC_WEB) associates with a TGW route table (RT_TGW_Spoke).

So RT_TGW_Spoke will check the next hop of traffic.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

3. In this RT_TGW_Spoke route table, it uses the static route (0.0.0.0/0) in the that route table to forward the traffic to the VPC_SEC.

So traffic will know the next hop is the ATT_VPC_SEC.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

4. When traffic reach the ATT_VPC_SEC, this attachment uses VPC attachment connect to VPC_SEC.

There are two subnets associate with this ATT_VPC_SEC. SEC_Landing-1a (10.1.255.0/28) and SEC_Landing-1b (10.1.255.16/28)

Due to the traffic is coming from AZ-1a, so traffic will go to SEC_Landing-1a (10.1.255.0/28) subnet.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

5. When traffic reach subnet (SEC_Landing-1a (10.1.255.0/28)), the route table (RT_SEC_Landing-1a) will check next hop.

The destination is use 0.0.0.0/0, next hop is the eni-NGFW-1-Eth1/2. So traffic will send to NGFW-1 Eth1/2 interface.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

6. When NGFW-1 get the traffic from interface Eth1/2, FW will do security profile filtering.

After filtering, NGFW-1 will do Source NAT (SNAT).

Without no SNAT, it is possible to have asymmetric traffic flowing through different NGFWs, which the NGFWs drop.

Source IP will be translate to NGFW-1 Trust interface IP address (Eth1/2: 10.1.3.x/24)

In the NGFW-1 route table (RT_NGFW-1), the DIP (APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28)) match the route 10.0.0.0/8 and next hop is the GW IP (10.1.3.1/24) of Trust subnet (SEC_NGFW-1_Trust-1a).

So, traffic will send to the GW of the subnet (SEC_NGFW-1_Trust-1a) which is 10.1.3.1.

(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

7. When traffic into subnet (SEC_NGFW-1_Trust-1a (10.1.3.0/24)), the route table (RT_SEC_NGFW-1_Trust-1a) will check next hop.

The DIP (APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28)) match 0.0.0.0/0. So next hop is the TGW.

The VPC_SEC has an VPC attachment (ATT_VPC_SEC). Traffic will use this ATT_VPC_SEC into TGW.

The traffic will direct send to ATT_VPC_SEC.

(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

8. This TGW VPC attachment (ATT_VPC_SEC) associates with a TGW route table (RT_TGW_SEC).

So traffic next hop will check the RT_TGW_SEC.

(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

9. In this RT_TGW_SEC route table, there are three routes redistribute(propagation) into this route table.

The VPC_WEB, VPC_APP and On-Premise use propagate redistribute 10.2.0.0/16, 10.3.0.0/61 and 172.16.0.0/16 into the RT_TGW_SEC.

The DIP match the route 10.3.0.0/16, so traffic will know the next hop is the ATT_VPC_APP.

(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

10. When traffic reach the ATT_VPC_APP, this attachment uses VPC attachment connect to VPC_APP.

There are two subnets associate with this ATT_VPC_APP. APP_Landing-1a (10.3.255.0/28) and APP_Landing-1b (10.3.255.16/28)

Due to the traffic is coming from AZ-1a, so traffic will go to APP_Landing-1a (10.3.255.0/28) subnet.

(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

11. When traffic into APP_Landing-1a (10.3.255.0/28) subnet, the route table (RT_APP_Landing-1a) will check next hop.

The DIP match the route 10.3.0.0/16, next hop is the local. So traffic will send to APP_ALB directly.

(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: APP_ALB DNS(10.3.10.0/28 or 10.3.10.16/28), DP: 8443)

12. When traffic into APP_ALB, APP_ALB will do health check. APP_EC2-1 is healthy, traffic will send to APP_EC2-1.

When ALB setup the Target Groups by IP address with TCP or TLS:

The ALB will change the SIP to ALB network interface IP.

The ALB will use the Target Groups IP to rewrite the DIP.

The ALB will use the Target Groups port to rewrite the DP

APP_ALB will translates the DIP to Traget group instance (APP_EC2-1: 10.3.1.x/24).

(SIP: APP_ALB network interface 10.3.10.x/28, DIP: APP_EC2-1 10.3.1.x/24, DP: 8443)

13. After APP_ALB change the SIP and DIP. Next step will check the route table(RT_APP_ALB-1a)

Next hop is 10.3.0.0/16 local. so traffic will direct send to APP_EC2-1

(SIP: APP_ALB network interface 10.3.10.x/28, DIP: APP_EC2-1 10.3.1.x/24, DP: 8443)

==========Return Traffic Flow==========

1. In the APP VPC, the instance (APP_EC2-1) sends return traffic back to the APP_ALB.

In the route table (RT_APP_EC2-1a), use 10.3.0.0/16 next hop is Local.

Traffic will sent to APP_ALB.

(SIP: APP_EC2-1 10.3.1.x/24, SP: 8443, DIP: APP_ALB network interface 10.3.10.x/28)

2. When APP_ALB receives the return traffic, WEB_ALB will change back the source IP and destination IP.

The source IP will change back to APP_ALB network interface 10.3.10.0/28

The destination IP will change back to NGFW-1_Eth1/2 10.1.3.x/24

The route table will use 0.0.0.0/0, next hop is TGW. So traffic will send to TGW attachment (ATT_VPC_WEB).

(SIP: APP_ALB network interface 10.3.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)

3. This TGW attachment (ATT_VPC_APP) associates with a TGW route table (RT_TGW_Spoke).

So traffic next hop will check the RT_TGW_Spoke.

(SIP: APP_ALB network interface 10.3.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)

4. In this RT_TGW_Spoke route table, there is only one static default route (0.0.0.0/0) and point to ATT_VPC_SEC.

So traffic will know the next hop is the ATT_VPC_SEC.

(SIP: APP_ALB network interface 10.3.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)

5. When traffic reach the ATT_VPC_SEC, this attachment uses VPC attachment connect to VPC_SEC.

There are two subnets associate with this ATT_VPC_SEC. SEC_Landing-1a (10.1.255.0/28) and SEC_Landing-1b (10.1.255.16/28)

Due to the traffic is coming from AZ-1a, so traffic will go to SEC_Landing-1a (10.1.255.0/28) subnet.

(SIP: APP_ALB network interface 10.3.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)

6. When traffic into subnet (SEC_Landing-1a (10.1.255.0/28)), the route table (RT_SEC_Landing-1a) will check next hop.

The next hop is the 10.1.0.0/16 local. So traffic will send to NGFW-1 Eth1/2 interface.

(SIP: APP_ALB network interface 10.3.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)

7. When NGFW-1 receives the traffic from interface Eth1/2.

According to the session ID, NGFW will know this is a return traffic.

NGFW-1 will do Destination NAT(DNAT).

Destination IP will be translate back to WEB_EC2-1 IP (10.2.1.x/24).

In the NGFW-1 route table (RT_NGFW-1), destination IP match the route 10.0.0.0/8, the next hop is the GW IP (10.1.3.1/24) of Trust subnet (SEC_NGFW-1_Trust-1a).

So, traffic will send to the subnet (SEC_NGFW-1_Trust-1a).