Securing Applications in the Cloud Using Palo Alto and Terraform
A global wealth management and investment banking company has chosen to utilize the AWS Cloud for current and future workloads. As a Financial organization, security is paramount across their entire infrastructure. Recently, the Customer was facing some network operational and scalability issues using an AWS legacy architecture. The Customer wanted to move to a more modern network deployment while also improving their security posture. The end goal being, a scalable solution that will allow them to deploy applications securely, with improved visibility for their operation teams, and improved end-user experience.
At this point, the Customer engaged WWT to collaborate with their cloud team and work toward realizing their networking and security goals. WWT has worked with the customer in prior engagements and understood their adoption of DevOps principles and doing everything possible as Infrastructure as Code (IaC).
One of the customer's main concerns around deploying applications to the cloud was maintaining visibility with the applications. In addition, how were they going to prevent exploits, provide threat protection for the applications or provide segregation for their workloads?
The existing architecture consisted of Traditional Transit VPC with (10+) VPCs connected via IPsec using a virtual private gateway, there is also an IPsec VPN connecting the Transit VPC to the On-prem environment.
The transit VPC design required the Customer to manage and monitor each of the vpn components, which doesn't scale as their network grows and limited their routing designs. The Customer also heavily used Palo Alto firewalls, but they lacked centralized management of AWS deployed Palo Alto firewalls.
For this project, WWT and the Customer wanted to achieve:
- Modernize the existing Transit VPC architecture so that it is more scalable and easier to manage
- Centralized management of AWS deployed Palo Alto NGFW
- Improved security posture for all applications
- Utilize Infrastructure-as-code for the entire project, specifically Hashicorp Terraform
- Visualize network traffic
WWT proposed a more modern routing design based on a reference architecture developed by Palo Alto and incorporating more modern AWS constructs, such as Transit Gateway. The new architecture implementation provides a secure solution that enables segmentation between different VPC's, improves network visibility, incorporates in real-time threat protection, and allows the organization to meet its required business requirements.
Improved Network Architecture
The new design calls for three (3) security vpc's, Inbound, Outbound, and East-West which are created to sustain the dual firewall implementation in each of the VPC's. The Outbound and East-West firewalls were connected to the Transit gateway via a vpc attachment for management and a vpn attachment for data plane communications. The vpn uses the BGP protocol and this attachment allows for the dynamic route manipulation with the transit gateway. A vpc attachment does not support route manipulation such as Equal Cost Multipath (ECMP) and only supports static routing. The Ingress vpc is connected to the transit gateway via a vpc attachment.
Each of the security vpc's will have two (2) vm-series Palo Alto firewalls that can be configured to manage threats both internal, external, and managed via a Panorama device, either from on-premise or via the cloud. The vm's in the cloud will have the same capabilities that are available to hardware-based Palo Alto firewall devices.
Traffic, internal or external, gets processed via a firewall, which offers full visibility into the transmissions within an organizations' cloud environment, therefore meeting their requirement for application visibility.
VPC to VPC communications – Lateral communications, such as VPC1 to communicate with VPC2, all the traffic will go thru the transit gateway and will be pushed to the east-west firewall. The firewall will either allow or deny the traffic based on the rules provided. In the event the traffic is allowed, the firewall will forward the traffic back to the transit gateway and routed to its destination, VPC2.
VPC to Egress Communication – The Egress firewall will advertise a default route to the Transit gateway. This will send traffic leaving VPC1 to the internet to the Egress firewalls. Based on allow or deny rules, traffic is forwarded to the untrust interface. Return traffic will come back to the Egress firewall, routed to the Transit Gateway, and then back to the originating VPC1.
External communications Ingress – Traffic trying to access a web-server running in VPC1. The traffic enters the Ingress firewall, is NAT'd, and sent to the transit gateway, to the webserver in VPC1. The return traffic hits the transit gateway, the Ingress firewall, the NAT removed, and the traffic returned.
The introduction of the transit gateway in the design is where things get interesting. The TGW is a managed AWS concept and a more elegant solution. Its flexibility allows for up to 5000 VPC attachments with increased throughput, up to 50 Gbps, between the transit gateway and the VPC. It also supports VPN attachments; however, it is still limited to 1.25 Gbps. More importantly, the TGW allows you to create route tables that effectively separates environments in more functional domains, giving you control of where the traffic is sent and a central place to manage the connectivity.
The use of the Palo Alto services provided the capability for the new environment to provide a tightly coupled application and infrastructure deployment strategy with these integrated services.
Providing control, visibility, protection for your application, and the ability to perform deep packet inspection on traffic streams for security and policy enforcement. It improves an application's on-boarding experience (due to new design, less work within PA's to manage new app onboarding). When coupled with the transit gateway, the Palo alto design brings with it a level of security for your applications, control for your infrastructure, and comes close to a zero-trust model in the cloud.
As mentioned previously, this particular customer has adopted DevOps heavily as part of their cloud journey. One of the requirements was complete automation of the solution, using infrastructure-as-code and custom-developed code to build out and provision all parts of the architecture.
Panorama will be used to provide a centralized location to manage their cloud provisioned PAs. Having a central location for configuration rulesets, network configuration, policy enforcement and metrics, provides an added benefit to the design. Since this solution can be deployed to multiple regions, having a central location to monitor the environments is critical to the operations of the business.
The customer's IaC tool of choice was Terraform. WWT Architects and Engineers built out the terraform code to lay out the underlying AWS infrastructure, customized to customer requirements, such as the vpc, subnets, route tables, security groups, site-to-site vpn's, the transit gateway, vpc and vpn attachments.
The ISV automation required more development, resulting in custom-built terraform modules used to bootstrap the PA FW's and also interact with the Panorama instance to auto-configure the launched firewalls.
The Customer realized the following benefits as a result of this successful engagement with WWT:
With the network redesign and security domains deployed, the customer now has the ability to detect advanced threats and centrally manage all components of the security environment.
The automation using Terraform, allows the customer to deploy future applications with more confidence, since they now have greater visibility into the applications and how it interacts with their environment, from a security and networking standpoint.
Reliability and Performance Efficiency
Adoption of DevOps principles along with heavily utilizing automation and IaC, allows the Customer to expand into other regions rapidly and efficiently as their business grows and they introduce new applications and features to their end-users.
With the modernization of their core network infrastructure, and moving away from legacy Transit VPC architectures, the customer was able to attain improved performance, less complexity, and large reduction in cost from reduced FW deployment.
AWS is an ever-evolving platform. New technologies are introduced at a very rapid pace, focused on new products or improving efficiencies for customers. Such a rapid pace of change should lead to regular introspection by organizations to evolve along with AWS. WWT is here to help our customers get a handle on all the rapid changes and how to best incorporate them into their environment to maximize the benefits of being in the AWS Cloud.