Automated VPC migration into centralized inspection architecture with AWS Gateway Load Balancer

Automated VPC migration into centralized inspection architecture with AWS Gateway Load Balancer

• 1.
  ©2025 Discover The opinionsexpressed in this presentation are those of the presenter, in their individual capacity, and not necessarily those of Discover. Automated VPC migration into centralized inspection architecture with AWS Gateway Load Balancer Ioannis Koustoudis, Pr. Infrastructure Engineer at DFS Hrishikesh Ghodke, Infrastructure Engineer at DFS Ronak Trivedi, Cybersecurity Engineer at DFS
• 2.
  ©2025 Discover ©2025 Discover Agenda •Moving into centralized inspection architecture with AWS GWLB • Helping our internal customers to understand their AWS VPC networking patterns • Automation to migrate all the AWS VPCs into inspection • Building firewall policy based on VPC network patterns • Building tools: ‒ To automate the creation of policies ‒ To detect in real time packet drops from firewall appliances
• 3.
  ©2025 Discover ©2025 Discover Movinginto centralized inspection architecture with AWS GWLB • All traffic between VPCs in same region is inspected by virtual firewall appliances, with the help of AWS GWLB inside “Inspection” VPC. • Traffic from source VPC will be led to ”Inspection” VPC and, if it is allowed, by FWs will be forwarded to the destination VPC. • Response coming back will also take the path to “Inspection” VPC before finding the final destination. • Firewall policies inside appliances based on src/dst addresses and ports will decide to “allow” or “drop” the traffic. • AWS CloudWatch Insights to share VPC flow logs
• 4.
  ©2025 Discover Automation tomigrate all the AWS VPCs into inspection • We built a pipeline to automate migration of VPCs into inspection. You could select: ‒ Which VPC to migrate into inspection. ‒ Which TGW route tables to update in parallel. ‒ Whether to change TGW route table association or not.
• 5.
  ©2025 Discover ©2025 Discover Packetdrop monitor is a homegrown deep packet observability solution that analyzes network traffic logs to generate real-time notifications for our internal customers. Real-time Notifications This monitoring solution sends real-time notifications to the internal AWS customer for any network traffic/packet drops from their AWS Virtual Private Cloud (VPC) at 3rd party firewalls within AWS. AWS Native & Highly Available Solution uses AWS-native services which are proven to be highly available and scalable. Cost Efficient The cost aware design saves the company money by utilizing a secure/efficient AWS backbone network instead of sending data over Transit Gateways. Packet Drop Monitor
• 6.
  ©2025 Discover packet-drop-monitor Kinesis DataStream Security VPC Private subnet Security Group AWS Vector CloudWatch Logs Subscription to Kinesis Packet-drop-lambda Lambda Function with Kinesis trigger Send Email Lambda Function Public Cloud API packet-drop-metadata DynamoDB Table sqs-send-email queue Read/Write Read Shared Services Account AFS1 Region 2 3 4 5 6 7 8 begin_time src_ip src_port dest_ip dest_port action device_name 2024/06/19 08:56:51 10.10.x.x 54948 10.20.x.x 443 drop fw-prod-af-south-1-01 1 ©2025 Discover 3rd party Firewalls
• 7.
  ©2025 Discover Building firewallpolicy based on VPC network patterns Access Map Objects objects: address_group1: - 10.10.10.1 address_group2: - 10.10.10.2 service_group1: - port: 443 - protocol: tcp Why Access Maps? • Shift-left ownership • Visibility of owned access • JSON data structures (Security- as-Code) • Automation capabilities Access Map Policies policies: policy_rule1: source: - address_group1 destination: - address_group2 service: - service_group1
• 8.
  ©2025 Discover Firewall PolicyAutomation • Automated comparison between VPC flow logs and firewall access maps • Automated staging and implementation of firewall policy
• 9.
  ©2025 Discover Thank you!