Previous post
Amazon Transit VPC with Traffic Sanitization
A significant portion of all organisations using the cloud faces implementing security controls among their users, both internal and external, and their cloud and on-premises workloads. These controls are primarily driven by security policies based on state or industry regulatory requirements. Some of them are General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and many others.
In some cases, the solution can be found among one of Amazon Web Services (AWS) network traffic controls like network access control list (NACLs) or security groups. But, in other cases, a deeper level of control and regular audit is required.
Although in constant and rapid evolution, the IT world often builds on proven traditional solutions and upgrades or refactors them with new tools, giving them a new edge. If you have previously worked in the pre-cloud era, you’ve surely encountered the demilitarized zone (DMZ) controlled by firewalls construct. Well, our solution builds on that construct. However, in our case, the architecture is redesigned to be applicable to multi-cloud hybrid environments and it is highly modular and flexible.
As shown in the solution overview diagram below, the focal point of our architecture is the transit Amazon Virtual Private Cloud (VPC), in the AWS Cloud. Our strategy is the implementation of a hub-and-spoke network topology that routes all traffic through the transit Amazon VPC, while at the same time, the whole process of traffic sanitisation is done within the transit Amazon VPC as seen in the Transit Amazon VPC internals diagram.
Solution overview
The transit Amazon VPC can be connected via various connection technologies (AWS Direct Connect, AWS Site-to-Site Virtual Private Network (VPN), AWS Transit gateway, etc.) to all major cloud providers environments and on-premises environments.
Transit VPC internals
Depending on the organisational needs, there is a wide scope of security features that can be implemented. The list below is composed of some of them:
In addition to the security features, the seamless failover across availability zones, automated scaling, Infrastructure as Code (IaC) deployments with AWS CloudFormation or Terraform, and IPv4/IPv6 dual-stack capabilities make this system a long-term answer to many security headaches for most of the organisations.
If you have any questions, feel free to send me an email on goce.stefkov@alite-international.com.
Share This Post
You may also like
Written by
Written by
Written by
Written by
We are all about going the extra mile. We deliver not only the expected, but the wished. We work hard to understand what the challenge is, how we can help our clients fast and in depth. Our mission is to deliver the change and transform not only the business but also the way value is created.
Make it more human, more efficient, more visionary. We work closely with our partners not only to transform but to enhance the way the run their business using technology in the most efficient and inspired way
Copyright 2020 Alite International. All Rights Reserved