By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Protection of On-Premises with traffic only routed through TGW-VPN-> Network Virtual Appliance -> Internet.

1

We want to implement an architecture such that we connected different physical sites (On-Premises * 10) to the internet through a transit gateway and having inspection by a network virtual appliance (Sophos). This will also allow the physical locations to communicate with one another.

The idea is to have routers on premises that only send/receive traffic through the VPN connection, all other traffic is denied.

I want to know if this setup is secure in general. Though all traffic flows this way, will it be protected from, for example, DDoS attacks on premises. AWS side of things can be protected by the firewall as well as maybe Shield Advanced but the on-premises networks.

Is there a need to protect them as well or a Microtik router for example with free updated is enough, as they are connected to the internet through public IPs.

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Networking & Content DeliveryAWS Transit GatewaySecurityAWS Virtual Private Network (VPN)
Language
English
rePost-User-1802561
asked a year ago347 views
2 Answers
0

As you said on premises traffic will come through AWS VPN tunnel to AWS then TGW then Sophos Filtering appliance, out to NatGateway(you need it or do NAT on sphos itself) then out internet through IGW .

On prem host--->On prem router--->VPN --->TGW--->Appliance Sophos-->NAT on Sphos or NatGateway--->IGW--->internet.com

In this scenario, external facing IP towards internet will be either Sophos EIP or NatGateway EIP which is AWS IP and will be protected from DDOS Attacks in general.

Also VPN tunnels will be built between your on prem device public IP and TGW VPN End points , so it will be protected with Shield DDOS service as well.

In this traffic flow, there is no way an external party can ddos on prem. External party only see AWS outgoing elastic IP and thats the only thing someone can attack.

Hope this helps.

Muhammad
answered a year ago
0

Hello re:Post-user-1802561, I have reviewed your query and have provided you with some important key points along with links to the AWS Documentation Site which is a provided resource for our customers to Deep Dive and obtain accurate data with explanations below.

  1. When it comes to VPN connections it is possible to configure security groups and Network Access Control Lists (NACLs) which will:

    a. Protect against ddos attacks by adding aws shield and/or guardduty
    b. Specify allowed incoming/outgoing traffic

  2. By configuring subnets and route tables you will be able to permit public access to data that needs to be accessed publicly without accessibility to the private resources

  3. Upon reviewing of the aws shared responsibility model, i would recommend following the requirements of the organization in reference to the necessity of securing on-prem routers.

================== AWS Documentation Links ================

SITE-TO-SITE VPN: https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html#cgrequirements

TRANSIT GATEWAY: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpn-attachments.html

SHIELD: https://aws.amazon.com/shield/?p=ft&c=sc&z=3

VPC SUBNETS + ROUTE TABLES: https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html

SHARED RESPONSIBILITY MODEL: https://aws.amazon.com/compliance/shared-responsibility-model/

AWS
hoddomi_
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content