Network segmentation in an AWS VPC
What's new?
AWS just announced a new VPC routing enhancement; With this capability customers can now inspect all traffic flowing between subnets in a VPC using BIG-IP security services. We partnered with the AWS team to validate a BIG-IP based solution leveraging the new capability.
More about the new capability
The AWS VPC Routing enhancement allows customers to route East-West traffic flowing between two subnets in a VPC through a 3rd party appliance. Prior to this enhancement, route tables associated with subnets could not have routes more specific than the local VPC CIDR.
More information can be found here:
BIG-IP security services for inter-subnets traffic
F5’s BIG-IP platform offers a range of security services to mitigate network and application threats. Customers can now apply BIG-IP security services like Advanced Firewall, Advanced WAF, Zero trust policies with APM and more to East-West traffic using different deployment patterns - Effectively creating network segmentation inside a VPC with advanced security controls.
Those are the two deployment patterns I have tested:
- BIG-IP HA using F5’s Cloud Failover Extension (CFE)
- Traditional Active-Standby deployment
- BIG-IP’s must be deployed in the same VPC as the workloads
- Supports all virtual server types and proxy configurations
- BIG-IP behind a GWLB
- Allows for horizontal scale of the BIG-IP’s
- BIG-IP’s deployed in a separate VPC
- Does not support changing the source or destination ip
Deployment patterns details
BIG-IP HA using F5’s Cloud Failover Extension (CFE)
In the following deployment pattern an Active-Standby pair of BIG-IP’s is deployed in a dedicated subnet inside the VPC. The VPC routing tables are configured to send inter-subnet traffic to the Active device ENI. High availability is achieved using CFE – in the event of a BIG-IP failover, CFE will immediately update the AWS routing table with the ENI of the new active device (failover time is a few seconds). More info on this deployment and a CFT template can be found here - https://github.com/F5Networks/f5-aws-cloudformation/tree/main/supported/failover/across-net/via-api/2nic/existing-stack/payg
BIG-IP behind a GWLB
In this deployment the BIG-IP instances are deployed behind a Gateway Load Balancer, the main benefits of this deployments are Horizontal scale of the BIGIP’s, admin domain separation – the BIG-IP devices are deployed in their own VPC.
Some extra info regarding this deployment option:
- GWLB has an extra cost
- Changing of the source/destination ip is not supported
- More details on BIG-IP and GWLB can be found here - https://devcentral.f5.com/s/articles/BIGIP-integration-with-AWS-Gateway-Load-Balancer-Overview
Try it today
F5 supports this new VPC capability with the BIG-IP platform, here are two ways to test it yourself:
- Deploy our supported CFT template into your own environment - https://github.com/F5Networks/f5-aws-cloudformation/tree/main/supported/failover/across-net/via-api/2nic/existing-stack/payg
- Deploy a fully automated demo using terraform from here: https://github.com/f5devcentral/f5-digital-customer-engagement-center/tree/msr/solutions/security/aws-inter-subnet-fw-gwlb
- MichaelOLearyEmployee
nice article Yossi, thanks!