on 03-Aug-2021 08:09
The previous article in this series reviewed the BIG-IP and AWS Gateway Load Balancer (GWLB) integration,
in this article we will focus on a deployment pattern that is used to inspect traffic in and out of a VPC using BIG-IP security services and GWLB.
In this scenario we will focus on a single existing VPC with EC2 instances and no BIG-IP security services
Inspect traffic in and out of the VPC, scale the BIG-IP deployment as needed
Considering the requirements and tools available, the deployment pattern will use the following attributes:
We can dive into each of the individual tasks:
Here, we are deploying the BIG-IP fleet and exposing it using GWLB. Some of the considerations when creating this VPC:
These are the actions we need to take in the provider VPC to inspect all ingress/egress traffic:
Diagram: The security VPC - BIG-IP fleet behind a GWLB, exposed using GWLB service
In the consumer VPC, the BIG-IP group is abstracted by the GWLB and consumes the security services from the provider VPC via a new component: GWLB endpoint. This endpoint acts as bridge between the consumer VPC and the provider VPC. It essentially creates an ENI in one of the consumer's VPC subnet. Please note that a single endpoint belongs to a single availability zone and design accordingly.
Inspecting all ingress traffic requires the use of 'Ingress routing' – an AWS feature that allows sending all ingress traffic from the internet gateway to an ENI or to a GWLB endpoint.
Here are the actions we need to take in the consumer VPC to inspect all ingress/egress traffic:
Diagram: Inspecting all ingress/egress in the Security provider VPC
Ingress traffic flow between an external user and an EC2 instance in the consumer VPC:
Egress traffic flow between an EC2 instance in the consumer VPC and an external user:
With this deployment you can protect your AWS VPC using the robust security services offered by the BIG-IP platform and get the following benefits:
Test the deployment yourself - Check out our self-service lab that you can deploy in your own AWS account (Fully automated deployment using Terraform):