Published 9月 04, 2021 by with 0 comment

AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic


3. AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic

This design uses overlay routing for outbound security on the NGFW. 

Outbound traffic from EC2 in the WEB VPCs traverses the TGW and egresses the AWS environment through the NGFW.


The architecture will share 5 topics:

1. AWS TGW Reference Architectures for Multi-VPC - 1/5 - Brief

2. AWS TGW Reference Architectures for Multi-VPC - 2/5 - Inbound Traffic

3. AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic

4. AWS TGW Reference Architectures for Multi-VPC - 4/5 - East-West Traffic

5. AWS TGW Reference Architectures for Multi-VPC - 5/5 - Backhaul to On-Premises Traffic



All Topology_v20211003(Need to wait for 30 sec to open the 5 web pages)



DOCUMENT CONVENTIONS:

Acronym:

Source IP: SIP

Source Port: SP

Destination IP: DIP

Destination Port: DP

AWS Elastic IP: EIP

GW: Gateway



==========Outbound Traffic Flow==========

1. In the WEB VPC, the WEB_EC2-1 sends traffic to a service on the internet. 

The route table (RT_WEB_EC2-1a) applied to the EC2’s subnet directs traffic to the TGW attachment (ATT_VPC_WEB) in its availability zone.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)


2.This TGW attachment (ATT_VPC_WEB) associates with a TGW route table (RT_TGW_Spoke).

So RT_TGW_Spoke will check the next hop of traffic.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)


3. In this RT_TGW_Spoke route table, it uses the static route (0.0.0.0/0) in the that route table to forward the traffic to the VPC_SEC.

So traffic will know the next hop is the ATT_VPC_SEC.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)


4. When traffic reach the ATT_VPC_SEC, this attachment uses VPC attachment connect to VPC_SEC.

There are two subnets associate with this ATT_VPC_SEC. SEC_Landing-1a (10.1.255.0/28) and SEC_Landing-1b (10.1.255.16/28)

Due to the traffic is coming from AZ-1a, so traffic will go to SEC_Landing-1a (10.1.255.0/28) subnet.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)


5. When traffic reach subnet (SEC_Landing-1a (10.1.255.0/28)), the route table (RT_SEC_Landing-1a) will check next hop.

The destination is use 0.0.0.0/0, next hop is the eni-NGFW-1-Eth1/2. So traffic will send to NGFW-1 Eth1/2 interface.

(SIP: WEB_EC2-1 10.2.1.x/24, DIP: 1.1.1.1, DP: 443)


6. When NGFW-1 get the traffic from interface Eth1/2, FW will do security profile filtering.

After filtering, NGFW-1 will do Source NAT (SNAT). 

Without no SNAT, it is possible to have asymmetric traffic flowing through different NGFWs, which the NGFWs drop.

Source IP will be translate to NGFW-1 Untrust interface IP address (Eth1/1: 10.1.1.x/24)

In the NGFW-1 route table (RT_NGFW-1), destination IP match the route 0.0.0.0/0 and next hop is the GW IP (10.1.1.1/24) of Untrust subnet (SEC_NGFW-1_Untrust-1a).

So, traffic will send to the GW of the subnet (SEC_NGFW-1_Untrust-1a) which is 10.1.1.1.

(SIP: NGFW-1_Eth1/1 10.1.1.x/24, DIP: 1.1.1.1, DP: 443)


7. When traffic into subnet (SEC_NGFW-1_Untrust-1a (10.1.1.0/24)), the route table (RT_SEC_NGFW-1_Untrust-1a) will check next hop.

The DIP match 0.0.0.0/0. So next hop is the SEC_IGW. The traffic will direct send to SEC_IGW.

(SIP: NGFW-1_Eth1/1 10.1.1.x/24, DIP: 1.1.1.1, DP: 443)


8. The SEC_IGW translates the source IP of the outbound traffic (NGFW-1_Eth1/1 10.1.1.x/24) to the EIP(52.52.52.52) associated with the NGFW-1 Untrust interface and forwards the traffic to the internet.

(SIP: NGFW-1-Eth1/1 EIP 52.52.52.52, DIP: 1.1.1.1, DP: 443)




==========Return Traffic Flow==========

1. In the Internet, client (1.1.1.1) sends return traffic to the EIP (52.52.52.52) associated with the NGFW-1 Untrust interface.

(SIP: 1.1.1.1, SP: 443, DIP: NGFW-1-Eth1/1 EIP: 52.52.52.52)


2. In the VPC_SEC, the IGW receives the return traffic.

and then translates the DIP (52.52.52.52) of the return traffic to the NGFW-1 public interface’s IP address (NGFW-1-Eth1/1).

Send traffic to NGFW-1-Eth1/1 directly.

(SIP: 1.1.1.1, SP: 443, DIP: NGFW-1_Eth1/1 10.1.1.x/24)


3. When NGFW-1 receives the traffic from interface Eth1/1. 

According to the session ID, NGFW-1 will know this is a return traffic.

NGFW-1 will do destination NAT(DNAT). 

Destination IP will be translate back to WEB_EC2-1 IP (10.2.1.x/24).

In the NGFW-1 route table (RT_NGFW-1), destination IP match the route 10.0.0.0/8, the next hop is the GW IP (10.1.3.1/24) of Trust subnet (SEC_NGFW-1_Trust-1a).

So, traffic will send to the subnet (SEC_NGFW-1_Trust-1a).

(SIP: 1.1.1.1, SP: 443, DIP: WEB_EC2-1 10.2.1.x/24)


4. When traffic into subnet (SEC_NGFW-1_Trust-1a (10.1.3.0/24)), the route table (RT_SEC_NGFW-1_Trust-1a) will check next hop.

The DIP (WEB_EC2-1 10.2.1.x/24) match 0.0.0.0/0. So next hop is the TGW. 

The VPC_SEC has an VPC attachment (ATT_VPC_SEC). Traffic will use this ATT_VPC_SEC into TGW.

The traffic will direct send to ATT_VPC_SEC.

(SIP: 1.1.1.1, SP: 443, DIP: WEB_EC2-1 10.2.1.x/24)


5. This TGW VPC attachment (ATT_VPC_SEC) associates with a TGW route table (RT_TGW_SEC).

So traffic next hop will check the RT_TGW_SEC.

(SIP: 1.1.1.1, SP: 443, DIP: WEB_EC2-1 10.2.1.x/24)


6. In this RT_TGW_SEC route table, there are three routes redistribute(propagation) into this route table.

The VPC_WEB, VPC_APP and On-Premise use propagate redistribute 10.2.0.0/16, 10.3.0.0/61 and 172.16.0.0/16 into the RT_TGW_SEC.

The DIP match the route 10.2.0.0/16, so traffic will know the next hop is the ATT_VPC_WEB.

(SIP: 1.1.1.1, SP: 443, DIP: WEB_EC2-1 10.2.1.x/24)


7. When traffic reach the ATT_VPC_WEB, this attachment uses VPC attachment connect to VPC_WEB.

There are two subnets associate with this ATT_VPC_WEB. WEB_Landing-1a (10.2.255.0/28) and WEB_Landing-1b (10.2.255.16/28)

Due to the traffic is coming from AZ-1a, so traffic will go to WEB_Landing-1a (10.2.255.0/28) subnet.

(SIP: 1.1.1.1, SP: 443, DIP: WEB_EC2-1 10.2.1.x/24)


8. When traffic into WEB_Landing-1a (10.2.255.0/28) subnet, the route table (RT_WEB_Landing-1a) will check next hop.

The DIP match the route 10.2.0.0/16, next hop is the local. So traffic will send to WEB_EC2-1 directly.

(SIP: 1.1.1.1, SP: 443, DIP: WEB_EC2-1 10.2.1.x/24)



Reference:

1. AWS TGW Reference Architectures for Multi-VPC - 1/5 - Brief

2. AWS TGW Reference Architectures for Multi-VPC - 2/5 - Inbound Traffic

3. AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic

4. AWS TGW Reference Architectures for Multi-VPC - 4/5 - East-West Traffic

5. AWS TGW Reference Architectures for Multi-VPC - 5/5 - Backhaul to On-Premises Traffic



最初發表 / 最後更新: 2021.09.04 / 2021.10.03

0 comments:

張貼留言