Citrix has worked with Amazon Web Services (AWS) for nearly a decade, and we constantly see customers unlocking additional value from hybrid-cloud flexibility. Together, our focus is to help our joint customers on their hybrid-cloud journey, and today Citrix is pleased to share a new solution, validated together with AWS, that enhances firewall load balancing and intrusion detection services and leverages the new Amazon Virtual Private Cloud (Amazon VPC) ingress routing feature.
The Amazon VPC ingress routing enhancement is a new feature of Amazon VPC that will enable customers to redirect North-South traffic flowing in and out of a VPC through the internet gateway and virtual private gateway to third-party appliances.
As our customers move from on-premises deployments to cloud, they face new challenges. For example, infrastructure scaling for business apps becomes essential. However, traditional challenges remain, such as the need for common firewall security for traffic initiated both on-prem and in the cloud. This is usually accompanied by security requirements that lay out strict compliance rules like:
- Clients and servers are both on-prem and in the cloud.
- All traffic between locations must go through the firewall or inspection service.
- Network address translation (NAT) is not allowed for internal traffic to preserve access control list (ACL) policies within sites and between services. SMTP(S), (S)FTP must be supported internally.
- SNAT on the firewalls is required for internet traffic to servers in the services VPC for the servers to maintain affinity with the specific firewall instance handling the connection.
Before, each VPC needed to house individual banks of firewalls and load balancers. This solution makes it possible to consolidate firewalls and load balancers into a single service VPC for more efficient scalability and reduced complexity.
The guide below details how to create a basic firewall and inspection service infrastructure to provide security that is in line with on-prem deployments while maintaining the flexibility and scalability associated with a hybrid-cloud environment.
Because this solution matches the inspections required and provides the correct routing for traffic between on-prem data centers, AWS and the internet, customers can accelerate their journey to the cloud with confidence that their security compliance requirements are met.
Create a Basic Firewall and Inspection Service Infrastructure
This solution uses the MAC-mode vserver feature of Citrix ADC to load balance the firewalls. All firewalls and servers must be in the same availability zone as the VPX. This provides high scale (>1.5gbps) external and local connectivity to a bank of firewalls and servers running in the services VPC and supports the use of AWS Auto Scaling groups for both.
Another component to this solution is the new Amazon VPC ingress routing feature, which extends access to internet users for servers inside the service VPC.
The third, critical component of this solution is the two transit gateways and one Citrix ADC.
Each VPC has two subnets: subnet0 for egress and subnet1 for ingress.
To access servers in the service VPC, the firewalls must SNAT those connections. This ensures symmetry for traffic destined to servers in the VPC. The firewalls don’t otherwise SNAT passthrough connections (those not destined to servers in the Service VPC); this solution maintains firewall affinity for passthrough connections by asymmetrically routing traffic through the transit gateways.
The Source/Destination check needs to be disabled on all the ENIs of all the entities in the services VPC.
Transit Gateway (TGW1)
The Transit Gateway is an exceptionally fast, low-latency router service that connects VPCs and Direct Connect gateways from external locations. In this solution, the Transit Gateway (TGW1) routes traffic egress from the Direct Connect gateway or the Spoke VPCs to the Services VPC. TGW attachments should be made to one subnet per VPC or Direct Connect gateway.
Transit Gateway (TGW2)
This Transit Gateway (TGW2) routes traffic that has been secured/inspected by the Services VPC to the Direct Connect gateway or other Spoke VPCs. The attachments from TGW2 should be made to one subnet in each Spoke-VPC or Direct Connect gateway, with a corresponding static route to each CIDR block.
Route Table on VPC Ingress in Services VPC
The route table for VPC ingress traffic (from the internet) should have a route entry for 10.3.1.0/24 (subnet1) with the target ENI of the Northbound interface of the Citrix ADC.
Route Table on subnet0 in Services VPC
A unique route table for traffic coming to the Services VPC should be assigned to the subnet connecting TGW1 to subnet0 in the Services VPC. The route table for subnet0 should have one route entry for 0.0.0.0/0 with the target as the ENI of Citrix ADC VPX.
Route Table on subnet1 in Services VPC
A unique route table on subnet1 should have a route entry for 0.0.0.0/0 with the target as the ENI of the southbound interface of the Citrix ADC.
Route Table on subnet2 in Services VPC
A second and unique route table assigned exclusively to subnet2 should have a single route entry for 0.0.0.0/0 with the target TGW2. This ensures that all traffic egress from the FWs is routed to TGW2, which is responsible for returning traffic to individual VPCs or Direct Connect gateways.
Route Table on subnet0 of Spoke VPCs and Direct Connect Gateways’s
The route table on subnet0 of the Spoke VPCs and Direct Connect gateways should have a route entry for 0.0.0.0/0 with the gateway as TGW1.
Route Table on subnet0 of Spoke VPCs
The route table on subnet0 of the Spoke VPCs should have a route entry for 0.0.0.0/0 with the gateway as TGW1
Citrix ADC (NS1)
The Citrix ADC should be provisioned with multiple interfaces. (one each in subnet0 and subnet1). It should also have IPs added to each of the above ENIs, and these IPs should be added to the ADC as SNIPs.
A wildcard MAC-mode vserver needs to be configured on the ADC to pick up all traffic. This LB vserver should be bound to services pointing to all the firewalls.
enable ns mode L3
add service sfw1 <FW1> ANY * -usip YES -useproxyport NO
add service sfw2 <FW2> ANY * -usip YES -useproxyport NO
add lb vserver vs1 ANY * * -persistenceType NONE -lbMethod SRCIPDESTIPHASH -Listenpolicy "CLIENT.INTERFACE.ID.EQ(\"1/1\")" -Listenpriority 10 -m MAC -sessionless ENABLED -cltTimeout 120
bind lb vserver vs1 sfw1
bind lb vserver vs1 sfw2
Firewalls
The firewalls should be provisioned with multiple interfaces (one each in subnet1 & subnet2). This is not required though and can work on a single interface. The default route must be to the subnet1 VPC gateway. It must also be configured to support asymmetric traffic flows, as all internal traffic (that is both TCP SYN and TCP SYN ACK) enter on the subnet1 interface. The firewalls must also SNAT traffic to all servers running in the Services VPC.
Example Linux Firewall policy:
sysctl -w net.ipv4.conf.all.rp_filter = 0
sysctl -w net.ipv4.conf.all.forwarding = 1
iptables -t nat -I POSTROUTING -s 0.0.0.0/0 -d 10.3.1.0/24 -j MASQUERADE
# Generated by iptables-save v1.6.1 on Fri Nov 1 21:55:41 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Nov 1 21:55:41 2019
# Generated by iptables-save v1.6.1 on Fri Nov 1 21:55:41 2019
*nat
:PREROUTING ACCEPT [247:8750]
:INPUT ACCEPT [203:6248]
:OUTPUT ACCEPT [9:1086]
:POSTROUTING ACCEPT [8:763]
-A POSTROUTING -d 10.3.1.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Nov 1 21:55:41 2019
Servers
Servers in the Services VPC do not require any configuration changes.
This new solution from Citrix takes full advantage of the Amazon VPC ingress features that enable you to control your traffic routing more easily and steer it through your security inspection devices of choice. The creation of a single Services VPC with Citrix ADC is an excellent way to control your security and, at the same time, take advantage of the scalability and flexibility of hybrid cloud.
Learn more about Amazon VPC Ingress and Citrix ADC.