AWS VPC subnet routes to central firewall

We have a small VPC with three subnets (WAN (public), LAN (private), DMZ (private)). I'm tasked with setting up a central firewall in the WAN subnet, that monitors all traffic both to the outside world as well as the traffic between subents.

My problem is monitoring the traffic between LAN and DMZ. I've associated each subnet with a routing table, directing all outbound traffic to the firewall and this works fine. Unfortunately, AWS prevents me from adding routes for the traffic between the subnets. Adding routing rules 'inside' the VMs would only partially solve the problem, since LAN contains appliances that don't allow this kind of configuration. Also I feel, this might cause more problems in the long run ... I think making WAN, LAN and DMZ each a VPC instead of a subnet might lead to a solution, but that seems to me a horrible misues of VPCs.

What's the canoical AWS solution to this problem?

Edit 1: I'm trying to set up the classic 'three zones plus central firewall' network. The firewall is supposed to monitor and secure the traffic between the subnets and the individual instances and also from the outside. This includes:

Watch for unusual connecions and report them. (i.e. the wiki has no business to access the hornetq server and any such connection could indicate that the wiki VM has been compromised)
Rate limit network traffic. (i.e. the database server is allowed to send reporting emails, but if it starts sending hundreds of emails per second, I'd like to get an alert)
Detect DDOs.
... more security stuff ...

I'm not sure all of this can done with AWS native methods and the central firewall concept just feels more natural to me.

Edit 2: Crude and simplified diagram of the network setup

Network Security Groups and ACLs allow me to properly separate the subnets and control the connections between the instances. But I don't see the possibility to do advanced stuff (i.e. rate limiting, ...). My idea is to completely cut traffic between LAN/DMZ subnets and use a classic network configuration: Route all traffic over the firewall and let it decide what happens to it. Unfortunately the routing tables of a VPC don't allow me to route all traffic within the VPC (or a subnet thereof) to a central firewall. So the question is, how can I leverage AWS to get the traffic fom my subnets to my firewall, so it can do its thing.

briconaut

Posted 2017-08-28T15:48:57.117

Reputation: 1

What are you trying to achieve? Monitoring is a solution, but we don't know the problem you're trying to solve. – Tim – 2017-08-29T20:32:27.537

I've edited my post to address your questions. – briconaut – 2017-08-30T08:22:08.397

I think a diagram would explain this better. From what I can tell, which isn't much, you're trying to intercept traffic between two networks that you're not part of. I think you may need to think in terms of layers, rather than centralization. – Tim – 2017-08-30T09:09:05.170

Second edit to address your questions, including a simple diagram. – briconaut – 2017-08-30T09:53:44.633

If the wiki can access the hornetq server now, then you already have a problem. Security groups allow very granular access control, better in many ways than a separate firewall. Additionally, is impossible to forge, spoof, or sniff traffic from inside a compromised EC2 instance -- the network infrastructure is automatically smarter than that. Also, VPC traffic flow logs can identify unexpected traffic. VPC is not a LAN, and I would suggest that trying to treat it as one is an exercise in futility, and prone to introducing bottlenecks and single points of failure. – Michael - sqlbot – 2017-08-30T20:26:09.677

I'll have to check the traffic flow logs feature, it looks quite promising. – briconaut – 2017-09-01T08:04:22.473

I also agree with most of the rest of your assesment, but preventing an intrusion is just the first step. I'm tasked with making sure, that after that happens (not /if/ that happens), the rest of the VPC is protected as well as possible. But most likely, as you indicate, applying this 'classical' architecture to a VPC is simply the wrong aproach. In the end, selling a different design to management will be the real challenge. – briconaut – 2017-09-01T08:14:51.397

Answers

I not sure if is possible in AWS. It's not how it'd typically be done.

I think you need to give up the idea of "central", that's what's holding you back. Think layers. I've done a very basic diagram below, it's pretty rough sorry.

A couple of other ways:

Use intrusion prevention / detection systems (IPS/IDS)
Use a host based system that has an agent on each server, and central monitoring. This monitoring could be a service on the internet, rather than in your VPC.

Tim

Posted 2017-08-28T15:48:57.117

Reputation: 529

The more I think about this, the more i tend to agree with your assessment. It'll be difficult to sell this to management and may even be a deal breaker w.r.t. AWS. – briconaut – 2017-08-31T06:44:02.713

Then your role here is probably to educate and influence, rather than to dictate or judge. There are a lot of great re:invent videos that give a lot of great information, I watched about 50 of them preparing for architect pro. This one might be suitable. If they still want a centralized firewall and monitoring device, you can likely find a way to do it in AWS, Azure, or Google, but it's an old pattern for an old type of deployment.

– Tim – 2017-08-31T08:10:09.453

AWS doesn't have an advanced firewall similar to a Palo Alto, etc. Instead they have implemented basic filtering via security groups that can control inbound and outbound traffic. Here you can setup filtering based on protocol, IP, etc.Additionally you can create a Network ACL which can be layered on top of security groups for finer grain control for your data flows between subnets.

Google: AWS security groups vs network ACL

It sounds like you are looking for a more advanced firewall setup allowing for throttling of data flows, packet inspection, etc. In this case you'll need to setup a firewall server. At a minimum you'll need a firewall that sits on your three subnets (WAN, LAN, DMZ). The following provides a detailed example of what you are looking for.

https://campus.barracuda.com/product/nextgenfirewallf/article/NGF70/AWSRouteTableMutliNIC/

However I would highly recommend designing a highly available solution that uses multiple availability zones and load balancers. There are many solutions out there that provide resilient architectures.

Alexander Theodore

Posted 2017-08-28T15:48:57.117

Reputation: 1

Thank you, but this is the exact configuration I'm using right now. This is not enough for my superiors because traffic inside the subnets is not routed through the firewall. The concern here is, that a compromised host in the DMZ might cause damage from the inside, without a firewall protecting the LAN. Since it's not possible to route traffic inside the VPC, I'm considering putting the firewall, the LAN and the DMZ each into a separate VPC. I think this way I can get the routing to work in the desired manner. An ugly solution, therefore I'm looking for a better way. – briconaut – 2017-08-30T12:12:54.527