Question about traffic initiated from the web server

[vincentcabosart]

Hello,

In the routing table of the VPC created by the application template (pan_aws_nlb_vpc-2.0.template) the routing table shows a default route pointing to the IGW of the VPC. It means that traffic initiated from the web server in the VPC will not go through the autoscaling cluster of firewalls deployed by the firewall-v2.0.template. Is this correct? If yes, it means that outgoing traffic is not protected (data exfiltration or connections to known malicious URLs etc)?

Thank you.

[narayan-iyengar]

Yes. That is by design. The solutions primary use case is inbound protection. For outbound and inter vpc we recommend using the transit vpc.

Mainly'cauwe scaling requirements for inbound and outbound are different and we don't want to inundate inbounds firewall with outbound or inter vpc traffic.

-- Thanks, /narayan

---

From: Vinch157 notifications@github.com Sent: Thursday, May 3, 2018 6:08:14 AM To: PaloAltoNetworks/aws-elb-autoscaling Cc: Subscribed Subject: [PaloAltoNetworks/aws-elb-autoscaling] Question about traffic initiated from the web server (#17)

Hello,

In the routing table of the VPC created by the application template (pan_aws_nlb_vpc-2.0.template) the routing table shows a default route pointing to the IGW of the VPC. It means that traffic initiated from the web server in the VPC will not go through the autoscaling cluster of firewalls deployed by the firewall-v2.0.template. Is this correct? If yes, it means that outgoing traffic is not protected (data exfiltration or connections to known malicious URLs etc)?

Thank you.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Delb-2Dautoscaling_issues_17&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t9Wtq-LzYCItBAJ7VpQF6kxmM-uLAh7vjiogxX8ODLU&s=U9OV23n79UHSzNoAAGLhS79sri72duEJJ8bVooH01yE&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaTKce1pQXI-2DenjQISHyq2WK5urjqks5tuwE-2DgaJpZM4TxDGF&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t9Wtq-LzYCItBAJ7VpQF6kxmM-uLAh7vjiogxX8ODLU&s=Rszrw-jdxRjchauendZ_gIYseEbJRbQxYaIEkkPQXmc&e=.

[originalwarby]

Our Transit VPC solution (for inter VPC and outbound security) is published here: https://github.com/PaloAltoNetworks/aws-transit-vpc

Light board video if you're interested is here: https://www.paloaltonetworks.com/resources/videos/firewall-services-vpc-integration

HTH

[vincentcabosart]

Thank you this is clear. I'm indeed trying to "merge" the autoscaling VPC design (made of an autoscaling firewall VPC and a web application VPC) and the transit VPC design (made of a transit VPC and a subscriber VPC) --> the web application VPC becomes also a subscriber VPC, so you have 3 VPCs in total: autoscaling VPC northbound, the application VPC = subscriber VPC and the transit VPC southbound. So, if I want to protect the traffic initiated from the web server in the VPC created by the application template (pan_aws_nlb_vpc-2.0.template), it means that I need to change the default route and make it point to a transit VPC (and this VPC pan_aws_nlb_vpc-2.0.template becomes in fact a Subscriber VPC) in place of pointing to the IGW. But when the default gateway of the route table containing the web server does not point to the IGW (and point to the transit VPC), traffic initiated from outside to reach the web server via autoscaling firewalls is blackholed. How can I avoid this?

[originalwarby]

It won't be black-holed. Have a look at my response to you in the transit-vpc repo.