Although modern organizations host their workloads “in the cloud”, applications and services need connectivity and everything flowing between instances and users needs inspection. On AWS, organizations typically filter ingress traffic by deploying a firewall appliance with IDS/IPS capabilities and routing all traffic to a specific network interface. But what about East-West traffic between subnets and VPCs?
Until today securing traffic of AWS workloads between VPCs and subnets using firewall appliances would require a few routing and NAT tricks to have the traffic flowing through the device. This was doable thanks to AWS Transit Gateway, and very useful in those scenarios where on-premise networks or when peering connections with another Transit Gateway was already in place.
However, for the only job of filtering your East-West traffic in AWS, it was not the leanest architecture and would come a little operational overhead to get it working. To help reducing manual operations for our NGFW customers, we have released this integration between AWS Transit Gateway and Forcepoint NGFW which automates the deployment of an auto-scaling set of NGFW engines and connects them to an existing Forcepoint Security Management Centre (on AWS or on-premise) to control all engines and apply security policies consistently across locations and workloads.
In addition, complexity and cost have just dropped further with the launch of Amazon VPC More Specific Routing, a new feature that allows customers to redirect East-West traffic flowing between two subnets in a VPC through third-party appliances like Forcepoint Next Generation Firewall. With this enhancement, customers can now configure routing rules in a subnet route table to redirect local traffic destined for another subnet via Forcepoint NGFW, which will operate as a middle-box appliance.
Forcepoint has verified compatibility out-of-the-box with the new Amazon VPC feature, enabling customers to enforce network security policies with a leaner design in their AWS footprint. This removes the need for a dedicated AWS Transit Gateway and the extra configuration and also allows customers to easily extend their SD-WAN networks into Amazon VPC.
These integrations enable organizations and customers to avail of Forcepoint NGFW on AWS in the simplest and most cost-effective way: either by performing automated deployment in the most advanced scenarios involving AWS Transit Gateway, or by filtering traffic between VPCs and subnets using the new AWS VPC More Specific Routing feature.