In MNCs, we have separate Network and Security teams – which is good by the way. They have the proper tool to block incoming or outgoing traffic. For this, they set up a firewall on their side which helps them establish a Network Control Centre.
But managing this firewall is not easy and cheap because you have to purchase a license and to maintain that you need SMEs for particular that firewall. So to overcome all these issues we now have a managed service that is AWS Firewall.
So what were the current Requirements that help me go deep-dive into this?
We need to block some Public URLs for our egress traffic.
We want to do so with a managed service.
It should be quite easy to implement
No Hustle and Bustle is required for setting and maintaining the firewall
It should be a centralized Service. Should have control over your multiple accounts. Ex- It would be treated as Single Control Network for multi Accounts So, to fulfill all these requirements. The first fully managed service that came to my mind is the AWS firewall.
Basic Requirements:
AWS Account
Basic knowledge of the Creation of VPC and Subnets and EC2 and transit Gateway
Please read the first Blog Transit Gateway Setup on AWS.
The Diagram has some basic terms:
Hub VPC: It’s a VPC in which your transit gateway is residing
Spoke VPC: It’s your VPC that has to be exposed to the firewall
Availability Zones: It’s your isolated location in which you have made your VPC
VPC: Virtual Private Cloud is like your data-center
Public/Private subnet: Public are those which are exposed to Internet and Private are not exposed
NAT/Internet gateway: They are just like your routers which help you to connect to the outer world
[ Good Read: What Is Data Science? ]
We will do implementation in 4 Steps:
First, we will set up Transit Gateway:
Click on Create Transit GATEWAY: Select NAME > SELECT DESCRIPTION > CREATE TRANSIT GATEWAY
Now CREATE two ROUTE TABLE :
FIREWALL-ROUTE-TABLE
SPOKE-ROUTE-TABLE
Now Create a TGW attachment for the VPC which you want to peer
If you want to peer VPC in the different account you just need to share that Transit gateway to a particular Account and create a new attachment from that account For more information refer to this blog transit gateway
You can check more info about: AWS Firewall.
Comments