: VM-Series Integration with AWS Cloud WAN
Focus
Focus

VM-Series Integration with AWS Cloud WAN

Table of Contents

VM-Series Integration with AWS Cloud WAN

Integrate VM-Series Firewall with AWS Cloud WAN.
AWS Cloud WAN is a managed wide area networking (WAN) service that enables you to build a unified network that interconnects cloud and on-premises environments. It provides a centralized dashboard to connect on-premises, branch offices, data centers, and Amazon VPCs across the AWS global network and even other cloud providers.
Deploying a Cloud WAN lets you employ next-generation firewalls (NGFW) and intrusion prevention systems (IPS) to inspect network traffic as part of a defense-in-depth strategy. This is often done using a separate and centralized security VPC where security appliances are set up, and traffic is routed in and out using Cloud WAN. Having a separate security VPC provides a simplified and centralized way to manage security inspection.
Cloud WAN helps with connectivity within AWS through AWS Network Manager, an interface which centrally manages your global network. A global network is a single private network that acts as the root-level container for your network objects and can contain both transit gateways and a Core Network. The core network consists of network policies, attachments such as VPCs, and transit gateway route tables.
Cloud WAN allows mapping of VPCs to segments and the regional connection point for your attachments as defined in the policy. Policies can be defined for traffic redirection between same or different segments to be inspected by a firewall.
You can use Cloud WAN services to:
  • Deploy a security VPC behind GWLB in a security segment and redirect traffic arriving from cloud attachments to VPC, before forwarding to the destination.
  • Collect logs and manage activities such as autoscaling, TAG collection, and so on, in Panorama managed firewalls.
  • Filter and inspect traffic to/from the internet using north-south traffic.
  • Inspect traffic for inter VPC communications.
AWS Cloud WAN can be deployed using two methods:
  • Federating Transit Gateways with Cloud WAN – In this method you replace statically created transit gateway peering connections with Cloud WAN. While federating transit gateways with Cloud WAN, you will need to register the transit gateways using the AWS Network Manager and create peering between the transit gateways and create attachments to the transit gateways and then apply the Cloud WAN configuration.
  • Cloud WAN only – In this method Cloud WAN is used for all connectivity and transit gateways are removed.
Considerations before deploying the AWS Cloud WAN:
  • Peering between transit gateways and Cloud WAN is supported in the same region, and not across regions.
  • Cloud WAN does not support native integration with AWS Direct Connect.
  • For use cases that require AWS site-to-site VPN connections over Direct Connect using private IP addresses, ensure that you connect Cloud WAN with a transit gateway.
  • While deploying Cloud WAN along with transit gateways, ensure that the transit gateway ASN is different from the ASN used for Cloud WAN’s core network edges.
  • While creating the core network, ensure that you add all the regions your VPCs are configured to, in the edge locations section under core network policy settings. You will also need to create segments and add the type of segment (Dev, Prod, Management or Security) that these regions belong to, under segment name.
Use Cases
You can use Cloud WAN to route traffic between:
  • VPCs in the same segment and in the same region (isolated attachments).
  • VPCs in different segments of the same region.
  • VPCs in the same segment across different regions (isolated attachments).
  • VPCs in different segments across different regions.

Deploy the AWS Cloud WAN

Let us consider a use case where VPCs are in the same segment and in the same region (isolated attachments). To configure this setup, deploy the VM-Series firewall behind a GWLB similar to VM-Series integration with an AWS Gateway Load Balancer. You can deploy VM-Series firewall behind the GWLB in a security VPC which is directly connected to a Cloud WAN, or through a transit gateway with a Cloud WAN attachment.
To migrate completely off the transit gateway, you must connect your VPCs directly to Cloud WAN.
Egress traffic from the Production VPC is routed to the Cloud WAN, which is then routed to the security VPC for inspection and sent out through NAT gateway and internal gateway. In the reverse direction, traffic from the security VPC reaches the security segment and then based on the routing configuration, is sent to the VPC attachment.
To inspect traffic between VPCs in the same segment and same region with AWS Cloud WAN(only) deployment, execute the following tasks:
  1. Login to AWS Network Manager and Create global network.
  2. Create a core network and core network policy.
    Use the AWS Cloud WAN console to create a core network policy version following these tasks:
    • Configure the network settings.
      • To edit a policy version, click Policy versions select the required policy and click Edit. Make necessary changes and click Create Policy.
      • After the change set state of the policy version changes to Ready to execute, execute the policy by clicking View or apply change set. Alternatively, click Compare policy version to view the JSON document.
  3. Create an attachment.
    • Use VPC or transit gateway route table as attachment type while creating an attachment.
    • To ensure that the VM-Series firewall can inspect traffic that is routed between VPC attachments, you must enable appliance mode on the VPC attachment for the security VPC containing the VM-Series firewall.
  4. Update VPC Route tables.
    Now that the necessary Cloud WAN constructs are in place, the VPCs need to be configured to facilitate packet forwarding towards the core network. The application and firewall instances or the respective VPCs need to be tagged similar to that of the segment. Add specific tags to the attachment to match one created in step 2.3.
To enable communication between attachment VPCs and the Core Network, VPC Route tables need to be updated from the existing target transit gateway route to the corresponding Core Network ARN as shown below.

Packet Walkthrough

The following steps describe the packet walkthrough when EC2 instance in Application VPC 1 communicates with EC2 instance in Application VPC 2:
  • When a client in APP VPC 1(10.1.0.0/16) starts a connection to a server in APP VPC 2 (10.2.0.0/16), it does a VPC (App Subnet) route table lookup. The packet matches the default route entry with the Core Network ARN as the target and the packet gets routed to the Core Network.
  • When the packet arrives at the Core Network, it does a Prod Segment Route Table lookup, because APP VPC 1 is associated with the Prod Segment. The packet matches the default entry with Security attachment as the target and the packet gets routed to Security VPC.
  • When the packet arrives at the Security VPC(100.64.0.0/16) attachment, it does a VPC (CWAN Subnet) route table lookup. The packet matches the default route with Firewall Endpoint 1 as the target and the packet gets routed to a firewall, through the firewall’s endpoint, for inspection.
  • The firewall inspects the traffic, compares it to its security policy, and allows it through. The firewall routes the packet back to the firewall’s endpoint, where it does a VPC (Firewall Subnet) route table lookup. The packet matches the default route entry with the Core Network ARN as the target, and the packet gets routed to the Core Network.
  • When the packet arrives at the core network, it does a Shared Security Route Table lookup because Security VPC is associated with the Security Segment. The packet matches the APP VPC 2 CIDR(10.2.0.0/16) entry with APP VPC 2 Attachment as the target and the packet gets routed to APP VPC 2.
  • When the packet arrives at APP VPC 2, it does a VPC (CWAN Subnet) route table lookup. The packet matches the VPC CIDR entry with local as the target and the packet gets routed to Instance.
Return traffic traces the same path in the opposite direction.