In this example, I will deploy a software router between Internet Gateway and a workload EC2 instance. All traffic will be routed through the software router. With this setup, I can gain visibility on network traffic. I can also control the traffic with iptables, such as rate limit certain type of network requests.
The setup consists of a dedicated firewall subnet 10.2.16.0/24 sitting between IGW and a workload subnet. A software router is installed in the firewall subnet, and an EC2 in the workload subnet 10.2.18.0/24.
To tell IGW to route traffic through the route/firewall 10.2.16.60, create an route table and associate it with the IGW. For return route, create another route table, set the default route to the firewall, and associate it with the subnet 10.2.18.0/24.
I am using RockyLinux 8 as the firewall. It can be anything with out-of-the-box routing capability. If you prefer a firewall with web UI, pfsense is a good choice.
Turn off source and destination check for the firewall EC2 instance, and enable ip_forward in the OS. At this point, the workload instance is accessible. I can connect to the public IP 3.112.93.95, and I can see network request being routed through the software firewall.
Now traffic is passing through the software, what next
There is a myriad of things one can do now, like logging all traffic, setup rate limit, or inspect captured packets.
To inspect traffic flowing through the firewall, install ntopng. For demonstration purpose, I started nginx on the workload instance so it responds to http request. Run httping from any remote machine and it immediately shows up on the flows tab.
To control the traffic, I can use iptables to allow / drop / rate limit packets going to 10.2.18.129. To keep it simple, I’m allowing all traffic on iptables:
[root@ip-10-2-16-60 ~]# iptables -vnL OUTPUT
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1259 65576 ACCEPT all -- * * 0.0.0.0/0 10.2.18.129
Linux is great but what about more specialised firewall appliance
Some firewall appliance is able to perform deep packet inspection or act as an IPS. I gave pfsense a try. Together with the Suricata package and Snort rules, malicious traffic can be blocked automatically.
Wrapping up
This is a quick demo on how to gain visibility and control network traffic in a VPC. A more sophisticated deployment will be to deploy a pair of NGFW and use Gateway LoadBalancer (GWLB) endpoints to route traffic through the NGFW. Cross-VPC inspection can be done this way. GWLB requires IP encapsulation using GENEVE protocol. Unfortunately, pfsense does not support this protocol.
