Cloud NGFW Integration with AWS Cloud WAN

Table of Contents

Cloud NGFW for AWS Distributed Deployments

Cloud NGFW Integration with AWS Cloud WAN

Integrate Cloud NGFW with AWS Cloud WAN.

Where Can I Use This?	What Do I Need?
Cloud NGFW for AWS	Cloud NGFW subscription Palo Alto Networks Customer Support Account (CSP) AWS Marketplace account User role (either tenant or administrator)

AWS Cloud WAN is a managed wide area networking (WAN) service that enables you to build a unified network that interconnects cloud and on-premises environments. It provides a centralized dashboard to connect on-premises, branch offices, data centers, and Amazon Virtual Private Clouds (VPCs) across the AWS global network and even other cloud providers.

Cloud WAN helps with connectivity within AWS through the AWS Network Manager, an interface which centrally manages your global network. A global network is a single private network that acts as the root-level container for your network objects and can contain both transit gateways and a core network. The core network consists of network policies, attachments such as VPCs, and transit gateway route tables.

You can map these VPCs to segments in the core network. These segments are connected using attachments such as VPC attachment or transit gateway route table attachments. The built-in segmentation helps you to maintain network isolation across AWS and on-premises environments. Each segment creates a dedicated routing domain. You can create multiple network segments within your global network. Cloud WAN restricts AWS resources to communicate within the segment. In nutshell, Cloud WAN allows you to route traffic between:

VPCs in the same segment and in the same region (isolated attachments).
VPCs in different segments of the same region.
VPCs in the same segment across different regions (isolated attachments).
VPCs in different segments across different regions.

Considerations before deploying the AWS Cloud WAN:

Peering between transit gateways and Cloud WAN is supported in the same region, and not across regions.
For use cases that require AWS site-to-site VPN connections over Direct Connect using private IP addresses, ensure that you connect Cloud WAN with a transit gateway.
While deploying Cloud WAN along with transit gateways, ensure that the transit gateway ASN is different from the ASN used for Cloud WAN’s core network edges.
While creating the core network, ensure that you add all the regions your VPCs are configured to, in the edge locations section under core network policy settings. You also need to create segments and add the type of segment (dev, prod, management, or security) that these regions belong to, under the segment name.

AWS Cloud WAN can be deployed using two methods:

Federating transit gateways with Cloud WAN – In this method you replace statically created transit gateway peering connections with Cloud WAN. While federating transit gateways with Cloud WAN, you will need to register the transit gateways using the AWS Network Manager and create peering between the transit gateways and create attachments to the transit gateways, and then apply the Cloud WAN configuration.
Cloud WAN only – In this method Cloud WAN is used for all connectivity and transit gateways are removed.

Deploy the AWS Cloud WAN

Cloud WAN is the interconnection of VPCs and on-premises networks. Lets now dive deep on how to secure traffic interconnected with Cloud WAN using Palo Alto Networks Cloud NGFWs. Though Cloud WAN is a global construct, Palo Alto Networks recommends deploying Cloud NGFW in every AWS region it spans, to maintain a security posture with low latency, and optimized costs.

Cloud NGFW can be deployed in a centralized security VPC in every region. The security VPC can be directly connected to the cloud WAN security segment via attachment. The routing associated with the attachments and segments define how the traffic gets routed toward the Cloud NGFW resource for threat prevention. You can redirect traffic arriving from cloud attachments to security VPC, before forwarding to the destination. Cloud NGFW deployed within a region can now protect and secure.

East-West traffic with inter-region flows and intra-region flows
Inspect and secure outbound traffic flow
Inspect and secure traffic from on-premises and branch environment

Let us consider a use case where VPCs are in the same region (isolated attachments). To configure this setup, deploy the Cloud NGFW firewall within the security VPC. You can deploy the Cloud NGFW firewall in a security VPC, which is directly connected to a Cloud WAN or through a transit gateway with a Cloud WAN attachment.

To migrate completely off the transit gateway, you must connect your VPCs directly to the Cloud WAN.

Egress traffic from the production VPC is routed to the Cloud WAN, which is then routed to the security VPC for inspection and sent out through NAT gateway and internal gateway. In the reverse direction, traffic from the security VPC reaches the security segment and then based on the routing configuration, is sent to the VPC attachment.

To inspect traffic between VPCs in the same segment and the same region with AWS Cloud WAN(only) deployment, execute the following tasks:

Login to AWS Network Manager and Create global network.
Create a core network and core network policy.
Use the AWS Cloud WAN console to create a core network policy version following these tasks:
- Configure the network settings.
  - To edit a policy version, click Policy versions, select the required policy and click Edit. Make necessary changes and click Create Policy.
  - After the change set the state of the policy version changes to Ready to execute, execute the policy by clicking View or apply change set. Alternatively, click Compare policy version to view the JSON document.
- - Create network policy segments within your core network.
    While configuring policy versions, ensure that you add the applications – APP VPC 1 (10.1.0.0/16) and APP VPC 2(10.2.0.0/16) in the prod segment and the firewall, and security VPC (100.64.0.0/16) in the security segment.
  - Create segment sharing and segment route actions.
  - Create policy attachments.
    
    You choose to add tags such as the prod segment (value) to the segment (key). These tags are reflected only after you add the segments in the Cloud WAN.
Create an attachment.
- Use VPC or transit gateway route table as attachment type while creating an attachment.
- To ensure that the Cloud NGFW firewall can inspect traffic that is routed between VPC attachments, you must enable appliance mode on the VPC attachment for the security VPC containing the Cloud NGFW firewall.
Update VPC Route tables.
Now that the necessary Cloud WAN constructs are in place, the VPCs need to be adjusted to facilitate packet forwarding toward the core network. The application and firewall instances or the respective VPCs need to be tagged similar to that of the segment. Add specific tags to the attachment to match the attachment created during Create policy attachments. of step 2.

To enable communication between attachment VPCs and the Core network, VPC route tables need to be updated from the existing target transit gateway route to corresponding Core Network ARN as shown below.

Packet Walkthrough

The following steps describe a packet walkthrough when an EC2 instance in Application VPC 1 communicates with an EC2 instance in Application VPC 2:

When a client in APP VPC 1(10.1.0.0/16) starts a connection to a server in APP VPC 2 (10.2.0.0/16), it does a VPC (App Subnet) route table lookup. The packet matches the default route entry with the Core Network ARN as the target and the packet gets routed to the core network.
When the packet arrives at the core network, it does a prod segment route table lookup because APP VPC 1 is associated with the prod segment. The packet matches the default entry with security attachment as the target and the packet gets routed to security VPC.
When the packet arrives at the security VPC(100.64.0.0/16) attachment, it does a VPC (CWAN Subnet) route table lookup. The packet matches the default route with firewall endpoint 1 as the target and the packet gets routed to a firewall, through the firewall’s endpoint, for inspection.
The firewall inspects the traffic, compares it to its security policy, and allows it through. The firewall routes the packet back to the firewall’s endpoint, where it does a VPC (Firewall Subnet) route table lookup. The packet matches the default route entry with the Core Network ARN as the target, and the packet gets routed to the Core Network.
When the packet arrives at the core network, it does a shared security route table lookup because the security VPC is associated with the security segment. The packet matches the APP VPC 2 CIDR(10.2.0.0/16) entry with APP VPC 2 attachment as the target and the packet gets routed to APP VPC 2.
When the packet arrives at APP VPC 2, it does a VPC (CWAN Subnet) route table lookup. The packet matches the VPC CIDR entry with local as the target and the packet gets routed to Instance.