on 03-Aug-2021 08:09
The previous article in this series reviewed the BIG-IP and AWS Gateway Load Balancer (GWLB) integration,
in this article we will focus on a deployment pattern that is used to inspect traffic in and out of a VPC using BIG-IP security services and GWLB.
In this scenario we will focus on a single existing VPC with EC2 instances and no BIG-IP security services
Inspect traffic in and out of the VPC, scale the BIG-IP deployment as needed
Considering the requirements and tools available, the deployment pattern will use the following attributes:
We can dive into each of the individual tasks:
Here, we are deploying the BIG-IP fleet and exposing it using GWLB. Some of the considerations when creating this VPC:
These are the actions we need to take in the provider VPC to inspect all ingress/egress traffic:
Diagram: The security VPC - BIG-IP fleet behind a GWLB, exposed using GWLB service
In the consumer VPC, the BIG-IP group is abstracted by the GWLB and consumes the security services from the provider VPC via a new component: GWLB endpoint. This endpoint acts as bridge between the consumer VPC and the provider VPC. It essentially creates an ENI in one of the consumer's VPC subnet. Please note that a single endpoint belongs to a single availability zone and design accordingly.
Inspecting all ingress traffic requires the use of 'Ingress routing' – an AWS feature that allows sending all ingress traffic from the internet gateway to an ENI or to a GWLB endpoint.
Here are the actions we need to take in the consumer VPC to inspect all ingress/egress traffic:
Diagram: Inspecting all ingress/egress in the Security provider VPC
Ingress traffic flow between an external user and an EC2 instance in the consumer VPC:
Egress traffic flow between an EC2 instance in the consumer VPC and an external user:
With this deployment you can protect your AWS VPC using the robust security services offered by the BIG-IP platform and get the following benefits:
Test the deployment yourself - Check out our self-service lab that you can deploy in your own AWS account (Fully automated deployment using Terraform):
Hi Yossi, I thought it worth noting that BIG-IP started supporting AWS GWLB in version 16.1. If you think it's appropriate, you could update this article to remind folks of this.
(Before version 16.1 you can still set up Geneve tunnels in BIG-IP but the AWS GWLB will not work because of AWS's implementation of Geneve, which we support from v16.1 and up. I just spent some time troubleshooting because I forgot to check the version of BIG-IP with a customer.)