For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Network segmentation in an AWS VPC

What's new?

AWS just announced a new VPC routing enhancement; With this capability customers can now inspect all traffic flowing between subnets in a VPC using BIG-IP security services. We partnered with the AWS team to validate a BIG-IP based solution leveraging the new capability.

More about the new capability

The AWS VPC Routing enhancement allows customers to route East-West traffic flowing between two subnets in a VPC through a 3rd party appliance. Prior to this enhancement, route tables associated with subnets could not have routes more specific than the local VPC CIDR.

More information can be found here:

https://aws.amazon.com/blogs/aws/inspect-subnet-to-subnet-traffic-with-amazon-vpc-more-specific-routing/

 

 

BIG-IP security services for inter-subnets traffic 

F5’s BIG-IP platform offers a range of security services to mitigate network and application threats. Customers can now apply BIG-IP security services like Advanced Firewall, Advanced WAF, Zero trust policies with APM and more to East-West traffic using different deployment patterns - Effectively creating network segmentation inside a VPC with advanced security controls.

Those are the two deployment patterns I have tested:

  1. BIG-IP HA using F5’s Cloud Failover Extension (CFE)
  2. Traditional Active-Standby deployment
  3. BIG-IP’s must be deployed in the same VPC as the workloads
  4. Supports all virtual server types and proxy configurations
  5. BIG-IP behind a GWLB
  6. Allows for horizontal scale of the BIG-IP’s
  7. BIG-IP’s deployed in a separate VPC
  8. Does not support changing the source or destination ip

Deployment patterns details

BIG-IP HA using F5’s Cloud Failover Extension (CFE)

In the following deployment pattern an Active-Standby pair of BIG-IP’s is deployed in a dedicated subnet inside the VPC. The VPC routing tables are configured to send inter-subnet traffic to the Active device ENI. High availability is achieved using CFE – in the event of a BIG-IP failover, CFE will immediately update the AWS routing table with the ENI of the new active device (failover time is a few seconds). More info on this deployment and a CFT template can be found here - https://github.com/F5Networks/f5-aws-cloudformation/tree/main/supported/failover/across-net/via-api/2nic/existing-stack/payg

 

 

 

BIG-IP behind a GWLB

In this deployment the BIG-IP instances are deployed behind a Gateway Load Balancer, the main benefits of this deployments are Horizontal scale of the BIGIP’s, admin domain separation – the BIG-IP devices are deployed in their own VPC.

Some extra info regarding this deployment option:

  1. GWLB has an extra cost 
  2. Changing of the source/destination ip is not supported
  3. More details on BIG-IP and GWLB can be found here - https://devcentral.f5.com/s/articles/BIGIP-integration-with-AWS-Gateway-Load-Balancer-Overview

 

 

Try it today

F5 supports this new VPC capability with the BIG-IP platform, here are two ways to test it yourself:

  1. Deploy our supported CFT template into your own environment - https://github.com/F5Networks/f5-aws-cloudformation/tree/main/supported/failover/across-net/via-api/2nic/existing-stack/payg
  2. Deploy a fully automated demo using terraform from here: https://github.com/f5devcentral/f5-digital-customer-engagement-center/tree/msr/solutions/security/aws-inter-subnet-fw-gwlb

 

Published Aug 31, 2021
Version 1.0
aws
BIG-IP
security