on 31-Aug-2021 08:31
AWS just announced a new VPC routing enhancement; With this capability customers can now inspect all traffic flowing between subnets in a VPC using BIG-IP security services. We partnered with the AWS team to validate a BIG-IP based solution leveraging the new capability.
More about the new capability
The AWS VPC Routing enhancement allows customers to route East-West traffic flowing between two subnets in a VPC through a 3rd party appliance. Prior to this enhancement, route tables associated with subnets could not have routes more specific than the local VPC CIDR.
More information can be found here:
F5’s BIG-IP platform offers a range of security services to mitigate network and application threats. Customers can now apply BIG-IP security services like Advanced Firewall, Advanced WAF, Zero trust policies with APM and more to East-West traffic using different deployment patterns - Effectively creating network segmentation inside a VPC with advanced security controls.
Those are the two deployment patterns I have tested:
In the following deployment pattern an Active-Standby pair of BIG-IP’s is deployed in a dedicated subnet inside the VPC. The VPC routing tables are configured to send inter-subnet traffic to the Active device ENI. High availability is achieved using CFE – in the event of a BIG-IP failover, CFE will immediately update the AWS routing table with the ENI of the new active device (failover time is a few seconds). More info on this deployment and a CFT template can be found here - https://github.com/F5Networks/f5-aws-cloudformation/tree/main/supported/failover/across-net/via-api/...
In this deployment the BIG-IP instances are deployed behind a Gateway Load Balancer, the main benefits of this deployments are Horizontal scale of the BIGIP’s, admin domain separation – the BIG-IP devices are deployed in their own VPC.
Some extra info regarding this deployment option:
F5 supports this new VPC capability with the BIG-IP platform, here are two ways to test it yourself: