[ad_1]
Complete cloud help is crucial when agile and environment friendly safety at scale is required. With Cisco Safe Firewall Risk Protection 7.1, we’ve got added help for the AWS Gateway Load Balancer (GWLB) to drive easy, agile, and environment friendly safety within the cloud. This integration simplifies insertion of Cisco Safe Firewall in AWS with Geneve protocol (RFC 8926) encapsulation. It makes architectures extra scalable, partially by eradicating the necessity for supply community deal with translation (SNAT) within the visitors path. Let’s think about a number of frequent use instances the place this new functionality makes a distinction.
Use-case: Ingress and Egress visitors inspection
Determine 1 beneath reveals a scalable structure for safeguarding ingress visitors utilizing Cisco Safe Firewall and AWS Gateway Load Balancer. This structure recommends creating an equipment VPC with an AWS Gateway Load Balancer and Cisco Safe Firewall digital home equipment within the backend pool of the gateway load balancer. Gateway load balancers discuss to those firewalls utilizing Geneve encapsulation, eliminating the necessity for SNAT, as packets have embedded digital community interface (vni) data.
The Web person sends visitors destined to the elastic-IP-address of a workload. Visitors hits the Web gateway, after which it’s redirected to the AWS Gateway Load Balancer Endpoint (GWLBe). The GWLBe sends visitors to the GWLB, after which to the firewall for inspection. Following inspection, the packet is then forwarded to the vacation spot workload through GWLBe.
- Ingress Visitors Movement:
Person -> IGW -> GWLBe -> GWLB -> Safe Firewall -> GLWB -> GWLBe -> Workload
Â
Determine 2 reveals a scalable structure for safeguarding outbound visitors utilizing Cisco Safe Firewall and AWS Gateway Load Balancer. On this Cisco Validated Design, we advocate creating an equipment VPC with a Gateway load balancer and Cisco Safe Firewalls within the backend pool of gateway load balancer. Gateway load balancers discuss to those firewalls utilizing Geneve encapsulation.
The workload sends visitors to the Web. Primarily based on the route desk, visitors is routed to GWLBe. As soon as visitors reaches the gateway load balancer endpoint, it forwards visitors to the gateway load balancer within the equipment VPC. The gateway load balancer then forwards the visitors to Cisco Safe Firewall. As soon as inspection is full, the firewall forwards the visitors again to the GWLB. As soon as the visitors reaches the GWLB, it sends it again to the GWLBe, directing the visitors to the Web.
- Egress Visitors Movement:
Workload-> GWLBe -> GWLB -> Safe Firewall -> GLWB -> GWLBe -> Web
Â
IGW1-RT: This route desk is related to Web Gateway (IGW1) and there’s a route for utility subnet (10.81.100.0/24) level to the gateway load balancer endpoint (GWLBEP).
GWLBEPsubnet1-RT: This route desk is related to GWLBEPsubnet1 and there’s a default route that factors to the Web Gateway (IGW).
AppSubnet1-RT: This route desk is related to AppSubnet1 and there’s a default route that factors to the gateway load balancer endpoint (GWLBEP1).
Firewall Configuration:
- Allow Firewall interface
- Affiliate safety zone to firewall interface
VNI Interface configuration:
- Allow VNI interface and add a reputation for VNI interface
- Create and affiliate for Safety Zone on VNI interface
- Allow AWS proxy
- Allow VTEP Interface
Â
Use-case: Centralized deployment with AWS Transit Gateway (East/West visitors movement)
Determine 3 reveals centralized safety deployment structure. On this design, AWS Transit Gateway connects utility VPC to equipment VPC. Transit gateway receives visitors from utility VPC and forwards the identical to GWLBe (endpoint). GWLBe sends visitors to GWLB, GLWB sends the visitors to Cisco Safe Firewall. Submit firewall inspection, visitors is forwarded again to the GLWB after which to the vacation spot VPC through transit gateway.
Â
Â
Use-case: Centralized deployment with AWS Transit Gateway (east/west visitors movement)
Determine 4 reveals east/west visitors movement between buyer’s Information Heart and equipment VPC.
Â
My subsequent weblog will a deep-dive on structure for a centralized deployment mannequin with AWS Transit Gateway and Cisco Safe Firewall in AWS (Determine 3 and Determine 4). Keep tuned!
Moreover, Cisco introduced will probably be supporting Safe Firewall as a Service on AWS. These enhancements are all a part of our dedication to simplify safety throughout hybrid and multicloud environments, harmonizing community, workload, and utility safety.
Extra assets
Cisco Safe Firewall for Public Cloud
Cisco Safe Firewall on AWS Market
At-a-Look: Cisco Safe Firewall
Weblog Announcement: Cisco Safe Firewall as a Service on AWS
We’d love to listen to what you suppose. Ask a Query, Remark Under, and Keep Related with Cisco Safe on social!
Cisco Safe Social Channels
Share:
[ad_2]
