cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Yossi_Rosenboi1
F5 Employee
F5 Employee

Introduction​​​

The previous article in this series reviewed the BIG-IP and AWS Gateway Load Balancer (GWLB) integration,

in this article we will focus on a deployment pattern that is used to inspect traffic in and out of a VPC using BIG-IP security services and GWLB.


0151T0000040jBFQAY.png


Baseline: 

In this scenario we will focus on a single existing VPC with EC2 instances and no BIG-IP security services


0151T0000040j9sQAA.png



Goal:

Inspect traffic in and out of the VPC, scale the BIG-IP deployment as needed


Deployment pattern:

Considering the requirements and tools available, the deployment pattern will use the following attributes:

  • Separate the security devices (BIG-IP's) from the workloads they are protecting. The BIG-IP's will be deployed in their own VPC – the Security VPC. We will reference the workload VPC as the 'Consumer' VPC as it consumes security services.
  • Use Routing tables in the 'consumer' VPC to send all traffic to the security VPC for inspection.
  • Leverage transparent security services on the BIG-IP for inspection (BIG-IP security features configuration is out of scope for this article)


We can dive into each of the individual tasks:

  • The Security VPC
  • Provisioning the 'consumer' VPC network to send traffic through the security VPC


Security VPC:

Here, we are deploying the BIG-IP fleet and exposing it using GWLB. Some of the considerations when creating this VPC:

  • Deploy in the same region as the 'consumer' VPC
  • Design based on your availability requirements,
  • Number of availability zones(AZ)
  • How many BIG-IP's in each AZ


These are the actions we need to take in the provider VPC to inspect all ingress/egress traffic:

  1. Deploy a group of BIG-IP's
  2. Create a GWLB target group and associate the BIG-IP's to it
  3. Create a GWLB and assign the previously created target group to the listener
  4. Create a GWLB endpoint service and associate it with the GWLB
  5. Configure the BIG-IP's to receive traffic over the tunnel and inspect according to the desired policy


Diagram: The security VPC - BIG-IP fleet behind a GWLB, exposed using GWLB service



0151T0000040jBPQAY.png



Consumer VPC:

In the consumer VPC, the BIG-IP group is abstracted by the GWLB and consumes the security services from the provider VPC via a new component: GWLB endpoint. This endpoint acts as bridge between the consumer VPC and the provider VPC. It essentially creates an ENI in one of the consumer's VPC subnet. Please note that a single endpoint belongs to a single availability zone and design accordingly.

Inspecting all ingress traffic requires the use of 'Ingress routing' – an AWS feature that allows sending all ingress traffic from the internet gateway to an ENI or to a GWLB endpoint.

Here are the actions we need to take in the consumer VPC to inspect all ingress/egress traffic:

  1. Create GWLB endpoints in each relevant availability zone that are attached to the 'GWLB endpoint service' from the provider VPC
  2. Change the ingress routing table so that all traffic in each AZ will get routed to the respective GWLB endpoint.
  3. Change the subnets routing tables so that all traffic in each AZ will get routed to the respective GWLB endpoint.


Diagram: Inspecting all ingress/egress in the Security provider VPC


0151T0000040jBZQAY.png



Traffic flow

Ingress traffic flow between an external user and an EC2 instance in the consumer VPC:


0151T0000040jBjQAI.png


Egress traffic flow between an EC2 instance in the consumer VPC and an external user:


0151T0000040jBoQAI.png


Summary:

With this deployment you can protect your AWS VPC using the robust security services offered by the BIG-IP platform and get the following benefits:

  1. Scalability - Deploy as many BIG-IP instances as you need based on performance and availability requirements
  2. Transparent inspection - Inspecting the traffic without any address translation
  3. Optimized compute - all BIG-IP devices are active and processing traffic


Next steps:

Test the deployment yourself - Check out our self-service lab that you can deploy in your own AWS account (Fully automated deployment using Terraform):

https://github.com/f5devcentral/f5-digital-customer-engagement-center/tree/main/solutions/security/i...



Version history
Last update:
‎03-Aug-2021 08:09
Updated by:
Contributors