Title: AWS re:Inforce 2024 - Network inspection design patterns that scale (NIS302)

Insights:

• Introduction to Network Inspection Architectures: The session introduces advanced network inspection architectures and a significant customer case study involving AWS Network Firewall handling 10 terabits per second and hundreds of billions of daily connections.
• Layered Security Approach: Emphasis on using a layered approach to security within AWS, starting from VPC security groups and network access control lists (NACLs) to more advanced services like AWS Network Firewall, Amazon Route 53 Resolver DNS Firewall, and AWS Web Application Firewall.
• Security Groups and NACLs: Security groups are stateful firewalls allowing traffic inspection and protection, while NACLs are stateless and require rules for both inbound and outbound traffic.
• Scaling Beyond Security Groups and NACLs: For larger scale and deeper inspection needs, AWS Network Firewall and other advanced constructs are recommended.
• AWS Network Firewall: A managed service that scales automatically with network traffic, integrates with AWS Firewall Manager, and supports logging to various destinations.
• Gateway Load Balancer: Essential for deploying, scaling, and managing network virtual appliances, maintaining traffic transparency, and providing horizontal scaling and fault tolerance.
• Third-Party Firewalls vs. AWS Network Firewall: AWS Network Firewall offers managed infrastructure, while third-party firewalls require customer management of the inspection VPC and scaling.
• Design Patterns for Network Inspection: Various patterns for inspecting traffic within a VPC, between VPCs in the same region, across regions, and between VPCs and on-premises infrastructure.
• Centralized vs. Distributed Deployment Models: Centralized models are recommended for east-west traffic inspection, while distributed models are suitable for ingress and egress inspection.
• Egress Inspection: Options for placing AWS Network Firewall between EC2 instances and the internet gateway, considering routing configurations and maintaining original source IP visibility.
• AWS Use Case: AWS itself uses Network Firewall to handle over 250 billion daily connections and 10 terabits per second of traffic, demonstrating the scalability and reliability of the service.
• Orchestration and Observability: AWS Firewall Manager for centralized control, VPC Flow Logs, Transit Gateway Flow Logs, and VPC Traffic Mirroring for detailed traffic analysis, and VPC Reachability Analyzer for connectivity troubleshooting.

Quotes:

• "We'll also talk about a really cool customer case study where we're pushing 10 terabits per second and hundreds of billions of daily connections through AWS Network Firewall."
• "Security, when you're dealing with security, it should be a layered approach."
• "If you don't configure any allow rules, absence of allow rules means implicit deny."
• "When it comes to network firewall, everything on the left-hand side, the spoke VPC where you want to inspect the traffic remains the same. It's the inspection VPC that we take over."
• "We recommend this model for East-West traffic inspection, so VPC to VPC, between the region, within the region, or VPC to on-premises."
• "With AWS network firewall, we can place AWS network firewall between the EC2 instance and the internet gateway."
• "We were able to migrate more than 250 billion daily connections and over 10 terabits per second sustained traffic to AWS network firewall."
• "AWS Firewall Manager allows you to control all of your firewall configurations through your AWS organization."
• "VPC flow logs are enabled per VPC or per ENI and you can see metadata about the traffic traversing your VPC."
• "With VPC traffic mirroring, you can actually replicate each and every packet that goes to that ENI and target another elastic network interface."