Today we were fortunate to be a launch partner of AWS for their newly announced Transit Gateway feature, known as TGW.
We've had the opportunity to get our hands on TGW while it's been in private beta, and as a networking vendor up in AWS, we're just as excited about the functionality as AWS (if not more!). TGW will give customers more flexibility, and more control in their cloud routing. This means more opportunity to take advantage of the unique functionality that your F5 devices provides up in AWS.
Working with the AWS team here at f5, we had a pretty enlightening brain storming session focused on what use cases TGW could provide for our customers. Centralized routing will open a lot of doors for our customers, especially when it comes to security.
F5 and TGW Use Cases
One use case that seems to make obvious sense to us is using TGW to enforce complete traffic sanitization through a dedicated security VPC. In the example below, our fictitious enterprise built and populated a VPC with a series of our Advanced WAF VMs in a scale set. We then configured global route rules within our TGW to route all inbound traffic through this VPC, ensuring that this traffic would flow through the AWAF farm before making it on to its final destination, regardless of which AWS region/VPC the VM resided in.
Another use case for our fictitious enterprise would be to use TGW to enforce outbound traffic to flow through a forward proxy, such as F5's Secure Web Gateway, before leaving the AWS cloud. By connecting the on-premises datacenters, headquarters, and branch offices to AWS via Direct Connect or VPN, you now have a truly dynamically scalable outbound security filter for your cloud and on-premises based workloads.
In the next section of this post, I will walk you through setting up a POC environment utilizing an AWS transit gateway and the F5 Advanced WAF to act as a centralized security enforcement engine as described in the first use case above.
Deploying the POC Environment
Prerequisites for POC
Active AWS Account credentials with sufficient permissions to deploy and manage AWS resources
AWS Role with sufficient permissions to deploy and manage AWS resources
To facilitate a quick and relatively painless process, we created a deployment CFT that will make quick work of the heavy lifting. Along with ancillary services, ( i.e. route tables, security groups, etc.), the template will deploy the following POC environment into US-East-2 region. The POC, (as shown below) consists of:
One, (1) Transit Gateway, (TGW) – Application and Security VPCs are attached
One, (1) Internet Gateway, (IGW) – Associated to Security VPC
The Deployment process consists of three simple steps
Create VPC-2-TGW attachments, (via AWS CLI)
Add route entries to VPCs, (via AWS CLI)
IMPORTANT: The provided template is unsupported and offered entirely “as is” and is by no means intended for production use. In addition to AWS services this template will deploy three, (3) virtual machines. Refer to the above links for licensing terms & conditions. To successfully deploy the CFT, you may first be required to accept the aforementioned terms & conditions. For ease of use the template deploys a statically configured environment with limited options. Feel free to clone and modify as desired.
Deploy the CFT
Copy/clone the POC deployment template from GitHub
Using the AWS console, navigate to the ‘US-East-2, (Ohio)’ region and create a new CloudFormation stack by uploading the template; select ‘Next’ to continue
Provide a stack name and select previously created sshKey; select ‘Next’ to continue
Select ‘Next’ on the next screen to continue
Acknowledge and accept terms; select ‘Create’ to deploy the template
Once completed, (approximately 7-10 minutes) you can view the various resources created
VM Instances ( 3 total)
VPCs and Subnets ( 3 total)
Route Tables, ( 2 total)
Complete the Deployment - The Outputs Section
To finish setting up the POC environment, you will need to attach the VPCs to the TGW as well as add the appropriate routes to the newly created VPC route tables. As of this post, these last two steps must be completed via AW CLI*. Not to worry, the ‘Outputs’ section of the newly deployed CFT, (see below) contains the required commands.
Now that you have the environment stood up and access to the F5 configured, let’s take a look at the Advanced WAF.
Login to the F5 WAF using the aforementioned Url
From the main page, navigate to ‘Local Traffic’ –> ‘Pools’. If the attachments and routes were added successfully the existing web pool should have a green status.
Select the pool from the middle pane and click on ‘Members’. Both member servers, (located in ‘ApplicationVpc’ and ‘Application2Vpc’ respectively) should have a green status. This signifies that the BIG-IP, (located in the ‘SecurityVpc’) is able to communicate and pass traffic across the TGW and back to the web pool members.