Network segmentation in an AWS VPC

What's new?

AWS just announced a new VPC routing enhancement; With this capability customers can now inspect all traffic flowing between subnets in a VPC using BIG-IP security services. We partnered with the AWS team to validate a BIG-IP based solution leveraging the new capability.

More about the new capability

The AWS VPC Routing enhancement allows customers to route East-West traffic flowing between two subnets in a VPC through a 3rd party appliance. Prior to this enhancement, route tables associated with subnets could not have routes more specific than the local VPC CIDR.

More information can be found here:

https://aws.amazon.com/blogs/aws/inspect-subnet-to-subnet-traffic-with-amazon-vpc-more-specific-routing/

 

 

BIG-IP security services for inter-subnets traffic 

F5’s BIG-IP platform offers a range of security services to mitigate network and application threats. Customers can now apply BIG-IP security services like Advanced Firewall, Advanced WAF, Zero trust policies with APM and more to East-West traffic using different deployment patterns - Effectively creating network segmentation inside a VPC with advanced security controls.

Those are the two deployment patterns I have tested:

  1. BIG-IP HA using F5’s Cloud Failover Extension (CFE)
  2. Traditional Active-Standby deployment
  3. BIG-IP’s must be deployed in the same VPC as the workloads
  4. Supports all virtual server types and proxy configurations
  5. BIG-IP behind a GWLB
  6. Allows for horizontal scale of the BIG-IP’s
  7. BIG-IP’s deployed in a separate VPC
  8. Does not support changing the source or destination ip

Deployment patterns details

BIG-IP HA using F5’s Cloud Failover Extension (CFE)

In the following deployment pattern an Active-Standby pair of BIG-IP’s is deployed in a dedicated subnet inside the VPC. The VPC routing tables are configured to send inter-subnet traffic to the Active device ENI. High availability is achieved using CFE – in the event of a BIG-IP failover, CFE will immediately update the AWS routing table with the ENI of the new active device (failover time is a few seconds). More info on this deployment and a CFT template can be found here - https://github.com/F5Networks/f5-aws-cloudformation/tree/main/supported/failover/across-net/via-api/2nic/existing-stack/payg

 

 

 

BIG-IP behind a GWLB

In this deployment the BIG-IP instances are deployed behind a Gateway Load Balancer, the main benefits of this deployments are Horizontal scale of the BIGIP’s, admin domain separation – the BIG-IP devices are deployed in their own VPC.

Some extra info regarding this deployment option:

  1. GWLB has an extra cost 
  2. Changing of the source/destination ip is not supported
  3. More details on BIG-IP and GWLB can be found here - https://devcentral.f5.com/s/articles/BIGIP-integration-with-AWS-Gateway-Load-Balancer-Overview

 

 

Try it today

F5 supports this new VPC capability with the BIG-IP platform, here are two ways to test it yourself:

  1. Deploy our supported CFT template into your own environment - https://github.com/F5Networks/f5-aws-cloudformation/tree/main/supported/failover/across-net/via-api/2nic/existing-stack/payg
  2. Deploy a fully automated demo using terraform from here: https://github.com/f5devcentral/f5-digital-customer-engagement-center/tree/msr/solutions/security/aws-inter-subnet-fw-gwlb

 

Published Aug 31, 2021
Version 1.0

Was this article helpful?