AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic ~ 快快樂樂的Peter (Happy Peter)

3. AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic

This design uses overlay routing for outbound security on the NGFW.

Outbound traffic from EC2 in the WEB VPCs traverses the TGW and egresses the AWS environment through the NGFW.

The architecture will share 5 topics:

1. AWS TGW Reference Architectures for Multi-VPC - 1/5 - Brief

2. AWS TGW Reference Architectures for Multi-VPC - 2/5 - Inbound Traffic

3. AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic

4. AWS TGW Reference Architectures for Multi-VPC - 4/5 - East-West Traffic

5. AWS TGW Reference Architectures for Multi-VPC - 5/5 - Backhaul to On-Premises Traffic

All Topology_v20211003(Need to wait for 30 sec to open the 5 web pages)

DOCUMENT CONVENTIONS:

Acronym:

Source IP: SIP

Source Port: SP

Destination IP: DIP

Destination Port: DP

AWS Elastic IP: EIP

GW: Gateway

==========Outbound Traffic Flow==========

1. In the WEB VPC, the WEB_EC2-1 sends traffic to a service on the internet.

The route table (RT_WEB_EC2-1a) applied to the EC2’s subnet directs traffic to the TGW attachment (ATT_VPC_WEB) in its availability zone.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)

2.This TGW attachment (ATT_VPC_WEB) associates with a TGW route table (RT_TGW_Spoke).

So RT_TGW_Spoke will check the next hop of traffic.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)

3. In this RT_TGW_Spoke route table, it uses the static route (0.0.0.0/0) in the that route table to forward the traffic to the VPC_SEC.

So traffic will know the next hop is the ATT_VPC_SEC.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)

4. When traffic reach the ATT_VPC_SEC, this attachment uses VPC attachment connect to VPC_SEC.

There are two subnets associate with this ATT_VPC_SEC. SEC_Landing-1a (10.1.255.0/28) and SEC_Landing-1b (10.1.255.16/28)

Due to the traffic is coming from AZ-1a, so traffic will go to SEC_Landing-1a (10.1.255.0/28) subnet.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)

5. When traffic reach subnet (SEC_Landing-1a (10.1.255.0/28)), the route table (RT_SEC_Landing-1a) will check next hop.

The destination is use 0.0.0.0/0, next hop is the eni-NGFW-1-Eth1/2. So traffic will send to NGFW-1 Eth1/2 interface.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)

6. When NGFW-1 get the traffic from interface Eth1/2, FW will do security profile filtering.

After filtering, NGFW-1 will do Source NAT (SNAT).

Without no SNAT, it is possible to have asymmetric traffic flowing through different NGFWs, which the NGFWs drop.

Source IP will be translate to NGFW-1 Untrust interface IP address (Eth1/1: 10.1.1.x/24)

In the NGFW-1 route table (RT_NGFW-1), destination IP match the route 0.0.0.0/0 and next hop is the GW IP (10.1.1.1/24) of Untrust subnet (SEC_NGFW-1_Untrust-1a).

So, traffic will send to the GW of the subnet (SEC_NGFW-1_Untrust-1a) which is 10.1.1.1.

(SIP: NGFW-1_Eth1/1 10.1.1.x/24, DIP: 1.1.1.1, DP: 443)

7. When traffic into subnet (SEC_NGFW-1_Untrust-1a (10.1.1.0/24)), the route table (RT_SEC_NGFW-1_Untrust-1a) will check next hop.

The DIP match 0.0.0.0/0. So next hop is the SEC_IGW. The traffic will direct send to SEC_IGW.

(SIP: NGFW-1_Eth1/1 10.1.1.x/24, DIP: 1.1.1.1, DP: 443)

8. The SEC_IGW translates the source IP of the outbound traffic (NGFW-1_Eth1/1 10.1.1.x/24) to the EIP(52.52.52.52) associated with the NGFW-1 Untrust interface and forwards the traffic to the internet.

(SIP: NGFW-1-Eth1/1 EIP 52.52.52.52, DIP: 1.1.1.1, DP: 443)

==========Return Traffic Flow==========

1. In the Internet, client (1.1.1.1) sends return traffic to the EIP (52.52.52.52) associated with the NGFW-1 Untrust interface.

(SIP: 1.1.1.1, SP: 443, DIP: NGFW-1-Eth1/1 EIP: 52.52.52.52)

2. In the VPC_SEC, the IGW receives the return traffic.

and then translates the DIP (52.52.52.52) of the return traffic to the NGFW-1 public interface’s IP address (NGFW-1-Eth1/1).

Send traffic to NGFW-1-Eth1/1 directly.

(SIP: 1.1.1.1, SP: 443, DIP: NGFW-1_Eth1/1 10.1.1.x/24)

3. When NGFW-1 receives the traffic from interface Eth1/1.

According to the session ID, NGFW-1 will know this is a return traffic.

NGFW-1 will do destination NAT(DNAT).

Destination IP will be translate back to WEB_EC2-1 IP (10.2.1.x/24).

In the NGFW-1 route table (RT_NGFW-1), destination IP match the route 10.0.0.0/8, the next hop is the GW IP (10.1.3.1/24) of Trust subnet (SEC_NGFW-1_Trust-1a).

So, traffic will send to the subnet (SEC_NGFW-1_Trust-1a).