Today we were fortunate to be a launch partner of AWS for their newly announced Transit Gateway feature, known as TGW.
We've had the opportunity to get our hands on TGW while it's been in private beta, and as a networking vendor up in AWS, we're just as excited about the functionality as AWS (if not more!). TGW will give customers more flexibility, and more control in their cloud routing. This means more opportunity to take advantage of the unique functionality that your F5 devices provides up in AWS.
Working with the AWS team here at f5, we had a pretty enlightening brain storming session focused on what use cases TGW could provide for our customers. Centralized routing will open a lot of doors for our customers, especially when it comes to security.
One use case that seems to make obvious sense to us is using TGW to enforce complete traffic sanitization through a dedicated security VPC. In the example below, our fictitious enterprise built and populated a VPC with a series of our Advanced WAF VMs in a scale set. We then configured global route rules within our TGW to route all inbound traffic through this VPC, ensuring that this traffic would flow through the AWAF farm before making it on to its final destination, regardless of which AWS region/VPC the VM resided in.
Another use case for our fictitious enterprise would be to use TGW to enforce outbound traffic to flow through a forward proxy, such as F5's Secure Web Gateway, before leaving the AWS cloud. By connecting the on-premises datacenters, headquarters, and branch offices to AWS via Direct Connect or VPN, you now have a truly dynamically scalable outbound security filter for your cloud and on-premises based workloads.
In the next section of this post, I will walk you through setting up a POC environment utilizing an AWS transit gateway and the F5 Advanced WAF to act as a centralized security enforcement engine as described in the first use case above.
To facilitate a quick and relatively painless process, we created a deployment CFT that will make quick work of the heavy lifting. Along with ancillary services, ( i.e. route tables, security groups, etc.), the template will deploy the following POC environment into US-East-2 region. The POC, (as shown below) consists of:
The Deployment process consists of three simple steps
IMPORTANT: The provided template is unsupported and offered entirely “as is” and is by no means intended for production use. In addition to AWS services this template will deploy three, (3) virtual machines. Refer to the above links for licensing terms & conditions. To successfully deploy the CFT, you may first be required to accept the aforementioned terms & conditions. For ease of use the template deploys a statically configured environment with limited options. Feel free to clone and modify as desired.
Once completed, (approximately 7-10 minutes) you can view the various resources created
To finish setting up the POC environment, you will need to attach the VPCs to the TGW as well as add the appropriate routes to the newly created VPC route tables. As of this post, these last two steps must be completed via AW CLI*. Not to worry, the ‘Outputs’ section of the newly deployed CFT, (see below) contains the required commands.
* Refer to https://docs.aws.amazon.com/cli/latest/userguide/installing.html for guidance on connecting to your AWS account.
attachVpcCommandString – The AWS command attaches VPC endpoints to Transit Gateway, (TGW) enabling traffic flow. The command takes the form – (Ex: aws --region us-east-2 ec2 create-transit-gateway-vpc-attachment --transit-gateway-id tgw-0bab161c1aae789b5 --vpc-id vpc-0e7d482064b26f759 --subnet-ids subnet-088cbda4b806bceac)
VpcRouteAddCommandString – The AWS command adds route entries to VPCs directing appropriate traffic thru the TGW. The command takes the form – (Ex: aws --region us-east-2 ec2 create-route --destination-cidr-block 192.168.0.0/16 --route-table-id rtb-00e0c121b67c9493d --transit-gateway-id tgw-0bab161c1aae789b5)
Bigip1SSh – To access and work with the F5 Advanced WAF, you will first need to connect to the management interface via SSH, (Ex: ssh -i "glc-key-east2" email@example.com). Once connected you will need to create a password for the admin user account.
Bigip1MgmtUrl – The management GUI URL, (Ex: https://126.96.36.199:8443)
Now that you have the environment stood up and access to the F5 configured, let’s take a look at the Advanced WAF.
Now that the environment has been deployed and functionality validated, I can continue with publishing and securing my two webservers with the F5 Advanced WAF. For more information regarding configuring the BIG-IP Web Application Firewall, refer to https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-getting-started-13-1-0.html.