AWS Hub Spoke

From Dave-Wiki
Revision as of 00:57, 3 February 2025 by Tlyle (talk | contribs) (Created page with "'''Hub-Spoke Inspection VPC with Transit Gateway and Palo Alto Firewall''' == Introduction == A Hub-Spoke Inspection VPC architecture is a scalable design for securing network traffic between workload VPCs, on-premises networks, and the internet. This model utilizes AWS Transit Gateway (TGW) for routing, Gateway Load Balancer (GWLB) for traffic inspection, and Palo Alto firewalls for security enforcement. == Architecture Overview == The architecture consists of the fol...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Hub-Spoke Inspection VPC with Transit Gateway and Palo Alto Firewall

Introduction

A Hub-Spoke Inspection VPC architecture is a scalable design for securing network traffic between workload VPCs, on-premises networks, and the internet. This model utilizes AWS Transit Gateway (TGW) for routing, Gateway Load Balancer (GWLB) for traffic inspection, and Palo Alto firewalls for security enforcement.

Architecture Overview

The architecture consists of the following key components:

  • **Transit Gateway (TGW):** Acts as a central routing hub connecting workload VPCs, the inspection VPC, and on-premises networks.
  • **Inspection VPC:** Contains Palo Alto firewalls behind Gateway Load Balancer (GWLB) endpoints for deep packet inspection.
  • **Direct Connect (DX):** Establishes a dedicated private link between on-premises networks and AWS.
  • **Workload VPCs:** Contain applications and services requiring secure connectivity.
  • **Gateway Load Balancer (GWLB) & Endpoints:** Distribute traffic to firewalls in the inspection VPC for security enforcement.

Traffic Flow

East-West Traffic (Workload VPC to Workload VPC)

1. Workload VPC routes traffic to TGW. 2. TGW routes traffic through the Inspection VPC via GWLB endpoints. 3. GWLB forwards traffic to Palo Alto firewalls for inspection. 4. Firewalls evaluate traffic policies and forward packets back through GWLB. 5. TGW routes the inspected traffic to the destination workload VPC.

North-South Traffic (On-Premises to AWS via Direct Connect)

1. On-premises traffic enters AWS through Direct Connect. 2. DX routes traffic to the TGW attachment in the Inspection VPC. 3. TGW forwards traffic to GWLB endpoints for Palo Alto firewall inspection. 4. Post-inspection, TGW routes traffic to the appropriate workload VPC.

Inbound Internet Traffic

1. External traffic enters AWS through an Application Load Balancer (ALB) in a shared services VPC. 2. ALB forwards traffic to Gateway Load Balancer (GWLB) endpoints. 3. GWLB tunnels traffic to Palo Alto firewalls for security inspection. 4. The firewalls forward traffic back to GWLB, which then directs it to the appropriate workload VPC.

Outbound Internet Traffic

1. Workload VPCs route outbound traffic to TGW. 2. TGW routes the traffic to the Inspection VPC. 3. GWLB forwards traffic to Palo Alto firewalls for outbound inspection. 4. Firewalls apply security policies and forward approved traffic to a NAT Gateway or egress internet gateway.

Key Benefits of This Architecture

  • **Centralized Security:** Palo Alto firewalls in the Inspection VPC provide a single enforcement point.
  • **Scalability:** TGW efficiently routes traffic across multiple VPCs.
  • **High Availability:** GWLB automatically distributes traffic across firewall instances.
  • **Reduced Complexity:** TGW simplifies network connectivity by eliminating complex peering configurations.

Conclusion

The Hub-Spoke Inspection VPC model with TGW, DX, and Palo Alto firewalls ensures secure and scalable traffic routing in AWS. This approach centralizes security inspection while optimizing network performance across hybrid cloud environments.

Retrieved from "https://davehome.net/wiki/index.php?title=AWS_Hub_Spoke&oldid=529"