Integrating Next-Gen Firewalls with VMware Cloud on AWS
By Aarthi Raju, Principal Solutions Architect at AWS
By Nicolas Vibert, Lead Systems Engineer at VMware
As customers start to build their hybrid network architectures, they often ask us how they can leverage next-generation firewalls to protect their data in VMware Cloud on AWS, similar to what they do in their native Amazon Web Services (AWS) environment or on-premises.
Some of these customers already leverage AWS Partner Network (APN) solutions like Checkpoint, Palo Alto Networks, or other firewall vendors and want to leverage the same partner solutions in their VMware Cloud on AWS environments.
This post covers the design required to leverage a next-generation firewall with VMware Cloud on AWS. A next-gen firewall provides deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection.
Network Architecture for VMware Cloud on AWS
VMware Cloud on AWS, the hybrid cloud solution jointly developed by AWS and VMware, already includes two edge firewalls—the Management Gateway, and the Compute Gateway.
The Management Domain is protected by a Management Gateway (MGW), which is an NSX Edge Security gateway that provides north-south network connectivity for the vCenter Server and NSX Manager running in the Software-Defined Data Center (SDDC).
The Compute Domain, which includes compute workloads created by the customer, is protected by a Compute Gateway (CGW). This provides north-south network connectivity for virtual machines (VMs) running in the SDDC.
By north-south, we mean traffic coming to and from the internet to the VMware Cloud on AWS SDDC. This post will not cover east-west firewalling, which refers to traffic within the SDDC.
Figure 1 – Management and Compute Gateways.
Both MGW and CGW provide firewall capabilities. Today, they only offer Layer 4 (L4) firewalling, though, meaning they only inspect the traffic up to the Layer 4 of the OSI model. They can only inspect IP addresses (source and destination) and TCP/UDP ports and filter the traffic based upon these criteria.
AWS Security Groups are similar to L4 virtual firewalls and behave the same way.
For internet-facing applications or internet-bound traffic, you might want to leverage a L7 firewall. That’s a firewall capable of inspecting packet payload and URL, and dropping traffic if its content or URL destination do not adhere to the company’s security policy.
Figure 2 – Differences between L4 and L7 firewalls.
L7 firewalls are sometimes referred to IPS/IDS, context-aware firewalls, next-gen firewalls, application firewalls. Several popular L7 firewall vendors include Palo Alto Networks, Check Point, and Cisco.
Integrating a Next-Gen Firewall with VMware Cloud on AWS
Let’s walk through our potential options of how to integrate a next-gen firewall with VMware Cloud on AWS.
Option 1: Inspect VMware Cloud on AWS traffic via the on-premises next-gen firewall
If you use VMware Cloud on AWS as an extension of your data center and maintain an on-premises presence, you may want the traffic to be inspected by an on-premises web proxy and internet L7 firewall.
In that case, it’s pretty straight-forward—advertise the default route over the virtual private network (VPN) or AWS Direct Connect, and all the internet-bound traffic from the VMware Cloud on AWS VMs will go via the on-premises L7 appliance.
Figure 3 – Outbound internet traffic inspected by on-premises L7 firewall.
If you want to expose web-facing applications on VMware Cloud on AWS, you can advertise the public IPs of these VMs from your internet-facing router and NAT these Public IPs to the private IP of the VMware Cloud on AWS VMC-VM.
Inbound traffic from an external user will go through the on-premises internet firewall where the destination IP will be NAT’ed to the private IP of VMC-VM and transferred across DX/VPN to VMC-VM.
Figure 4 – Inbound internet traffic inspected by on-premises L7 firewall.
Option 2: Next-gen firewall deployed within a transit VPC in native AWS
Alternatively, we can leverage the concept of a transit VPC, which is a common strategy for connecting multiple, geographically disperse VPCs and remote networks in order to create a global network transit center.
Transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks.
Figure 5 – Transit VPC on AWS.
The transit VPC is a “hub VPC” that would connect to “spoke VPCs” via VPN. A next-gen firewall would then be deployed within the transit VPC as an Amazon Elastic Compute Cloud (Amazon EC2) instance. All of the traffic leaving the spoke VPCs travel to the hub/transit VPC and be inspected by the next-gen firewall.
So how’s it work with VMware Cloud on AWS? The VMware Cloud on AWS SDDC would just be another “spoke VPC.”
Remember, the “ENI-Connected VPC” is the one we connected to via the Elastic Network Interface (ENI) when we deployed the SDDC. This is typically used for services such as Active Directory, Amazon FSx, or back-ups using Amazon S3. The ENI-Connected VPC would not be connected to the transit VPC; instead, it remains reachable to the VMware Cloud on AWS SDDC via ENI.
Figure 6 – Transit VPC with VMware Cloud on AWS.
For our testing purposes, we used a Palo Alto Network appliance in our transit VPC. This is the ideal option for customers already using a transit VPC, as VMware Cloud on AWS would just be another spoke.
All of the traffic from VMware Cloud on AWS to either spoke VPCs or the internet would transit through the secure transit VPC.
Figure 7 – Transit VPC, next-gen firewall, and VMware Cloud on AWS architecture.
Option 3: Leverage NSX Service Insertion to insert a next-gen firewall
This third model is not available yet, but it’s something on our roadmap which you can review here. We are actively working on a feature to insert a virtual next-gen FW through our NSX-T Partner Service Insertion platform. This is nothing new if you’ve followed NSX. It’s been available for years on NSX-V and for a few months on NSX-T.
When completed, this model provides the following benefits:
- L7 inspection of both outbound and inbound traffic.
- Inspect traffic to compute VMs and management VMs.
- Faster performance and reduced latency.
Customers who are looking to leverage APN Partner solutions within VMware Cloud on AWS can utilize one of the above-mentioned options to achieve this architecture.
This enables customers to perform deep packet inspection for applications running both with VMware Cloud on AWS and for native AWS services.
- VMware Cloud on AWS website
- Getting Started guide for VMware Cloud on AWS
- Getting started with Amazon VPC
- AWS Transit VPC
VMware – APN Partner Spotlight
VMware is an APN Advanced Technology Partner. Its software spans compute, cloud, networking, security, digital workspace, and streamlines the journey for organizations to become digital businesses.
*Already worked with VMware? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.