PaloAltoNetworks / terraform-aws-swfw-modules

Terraform Reusable Modules for Software Firewalls on AWS
https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/aws
MIT License
14 stars 11 forks source link

Put subnets in order of traffic flow from transit gateway out to IGW and use a real world subnetting example and not a stupid /16 for 2 firewalls. #91

Open jollymahn opened 21 hours ago

jollymahn commented 21 hours ago

Is your feature request related to a problem?

It is a simplification of the networking and follows a logical path. It simplifies the understanding of the network traffic flow and lends itself a more simple explaination. It keeps the networks consistent across AZ paths. Additionally lends itself to search and replace networks and the firewall security policy for the health probes and management access.

*** also adds all AZ's for GWLB interfaces

Describe the solution you'd like

Traffic flow through the security vpc

TGW. >>> Subnet 0 TGW-ATTACH-> Endpoint subnet(Subnet 1 or 2 ) ->Subnet 3 GWLB -> Subnet 4 Firewall -> Subnet 5 MNGT-> Subnet 6 Public Subnet -> (And or) Subnet 7 NATGW

vpcs = { security_vpc = { name = "security-vpc" cidr = "10.253.0.0/22" subnets = {

Value of nacl must match key of objects stored in nacls

  # Subnet 0 TGW-ATTACH
  "10.253.0.0/28" = { az = "us-west-2a", subnet_group = "tgw_attach" }
  "10.253.1.0/28" = { az = "us-west-2b", subnet_group = "tgw_attach" }
  "10.253.2.0/28" = { az = "us-west-2c", subnet_group = "tgw_attach" }
  # Subnet 1 EAST-WEST
  "10.253.0.16/28" = { az = "us-west-2a", subnet_group = "gwlbe_outbound" }
  "10.253.1.16/28" = { az = "us-west-2b", subnet_group = "gwlbe_outbound" }
  "10.253.2.16/28" = { az = "us-west-2c", subnet_group = "gwlbe_outbound" }
  # Subnet 2 OUTBOUND
  "10.253.0.32/28" = { az = "us-west-2a", subnet_group = "gwlbe_eastwest" }
  "10.253.1.32/28" = { az = "us-west-2b", subnet_group = "gwlbe_eastwest" }
  "10.253.2.32/28" = { az = "us-west-2c", subnet_group = "gwlbe_eastwest" }
  # Subnet 3 GWLB
  "10.253.0.48/28" = { az = "us-west-2a", subnet_group = "gwlb" }
  "10.253.1.48/28" = { az = "us-west-2b", subnet_group = "gwlb" }
  "10.253.2.48/28" = { az = "us-west-2c", subnet_group = "gwlb" }
  "10.253.3.48/28" = { az = "us-west-2d", subnet_group = "gwlb" }
  # Subnet 4 DATA-PLANE-TRUST-PTRIVATE
  "10.253.0.64/28" = { az = "us-west-2a", subnet_group = "private", nacl = "trusted_path_monitoring" }
  "10.253.1.64/28" = { az = "us-west-2b", subnet_group = "private", nacl = "trusted_path_monitoring" }
  "10.253.2.64/28" = { az = "us-west-2c", subnet_group = "private", nacl = "trusted_path_monitoring" }
  # Subnet 5 MANAGEMENT
  "10.253.0.80/28" = { az = "us-west-2a", subnet_group = "mgmt" }
  "10.253.1.80/28" = { az = "us-west-2b", subnet_group = "mgmt" }
  "10.253.2.80/28" = { az = "us-west-2c", subnet_group = "mgmt" }
  # Subnet 6 PUBLIC-UNTRUST
  "10.253.0.96/28" = { az = "us-west-2a", subnet_group = "public" }
  "10.253.1.96/28" = { az = "us-west-2b", subnet_group = "public" }
  "10.253.2.96/28" = { az = "us-west-2c", subnet_group = "public" }
}

Updated security groups also.

security_groups = { vmseries_private = { name = "vmseries_private" rules = { all_outbound = { description = "Permit All traffic outbound" type = "egress", from_port = "0", to_port = "0", protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } geneve = { description = "Permit GENEVE to GWLB subnets" type = "ingress", from_port = "6081", to_port = "6081", protocol = "udp" cidr_blocks = [ "10.253.0.48/28", "10.253.1.48/28", "10.253.2.48/28", "10.253.3.48/28" ] } health_probe = { description = "Permit Port 80 Health Probe to GWLB subnets" type = "ingress", from_port = "80", to_port = "80", protocol = "tcp" cidr_blocks = [ "10.253.0.48/28", "10.253.1.48/28", "10.253.2.48/28", "10.253.3.48/28" ] } } } vmseries_mgmt = { name = "vmseries_mgmt" rules = { all_outbound = { description = "Permit All traffic outbound" type = "egress", from_port = "0", to_port = "0", protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } https = { description = "Permit HTTPS" type = "ingress", from_port = "443", to_port = "443", protocol = "tcp" cidr_blocks = ["10.0.0.0/8",] # TODO: update here (replace 0.0.0.0/0 by your IP range) } ssh = { description = "Permit SSH" type = "ingress", from_port = "22", to_port = "22", protocol = "tcp" cidr_blocks = ["10.0.0.0/8",] # TODO: update here (replace 0.0.0.0/0 by your IP range) } panorama_mgt = { description = "Permit Panorama mgt" type = "ingress", from_port = "3978", to_port = "3978", protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] } } } vmseries_public = { name = "vmseries_public" rules = { all_outbound = { description = "Permit All traffic outbound" type = "egress", from_port = "0", to_port = "0", protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } ssh = { description = "Permit SSH" type = "ingress", from_port = "22", to_port = "22", protocol = "tcp" cidr_blocks = ["10.104.0.0/22", "10.105.0.0/22"] # TODO: update here (replace 0.0.0.0/0 by your IP range) } https = { description = "Permit HTTPS" type = "ingress", from_port = "443", to_port = "443", protocol = "tcp" cidr_blocks = ["10.104.0.0/22", "10.105.0.0/22"] # TODO: update here (replace 0.0.0.0/0 by your IP range) } http = { description = "Permit HTTP" type = "ingress", from_port = "80", to_port = "80", protocol = "tcp" cidr_blocks = ["10.104.0.0/22", "10.105.0.0/22"] # TODO: update here (replace 0.0.0.0/0 by your IP range) } } } }

Describe alternatives you've considered.

This is the way.

Additional context

The public facing documentation using a /16 for 2 firewalls is a ridiculous example of exactly what NOT to do. We can do better. Provide a straightforward, real-world example that can be immediately applied, adhering to networking best practices that are easy to follow and understand.

seanyoungberg commented 3 hours ago

Agreed it would be nice to have sane defaults of /22 for security VPC and /28 for subnets. And some logic on the IP scheme to match the flow of traffic makes sense to me also