By Jeff Kopko, Cloud Alliance Architect and Jonathan Maresky, Cloud Product Marketing Manager, published August 31, 2021
In my previous blog post I wrote about the three pillars of CloudGuard: “Security · Automated · Everywhere”, and explained the importance of the “Automated” pillar.
Good automation is vital for all cloud solutions and especially cloud security.
This is because the cloud is dynamic and agile, and manual processes just can’t keep up with these changes. When an organization relies on manual processes, it is potentially exposed to attacks by automated threat actors. Using manual processes for cloud security is like bringing a knife to a gunfight.
A key factor in good cloud automation is the depth and quality of the integration with cloud vendor services. AWS is continuously launching new services and enhancing existing services to improve ease-of-use for customers and ease-of-integration with technology partners like Check Point.
This blog post will provide some details about AWS’s recent cloud security announcement – the release of Amazon VPC enhanced routing.
Check Point is a launch partner for enhanced routing with CloudGuard Network Security (CGNS) and performed beta-testing before launch.
The blog post will explain:
- What is Amazon VPC enhanced routing?
- How does it work and what problem does it solve?
- How does CloudGuard use Amazon VPC enhanced routing and how do CloudGuard users benefit from this enhancement?
What is Amazon VPC Enhanced Routing?
According to AWS descriptions, enhanced routing is a new feature of Amazon VPC that will allow customers to redirect East-West traffic flowing between two subnets in a VPC through third-party appliances.
Before this enhancement, route tables associated with subnets could not have routes more specific than the local VPC CIDR block. As a result, customers could not insert any appliances between two subnets.
Enhanced routing allows customers to configure routing rules in a subnet route table to redirect local traffic destined for another subnet via network and security appliances.
How does this help improve AWS security for our customers?
Most cloud network security is performed on North-South traffic, i.e. traffic entering/exiting the cloud from/to the Internet and from/to the customer’s corporate network or data center. More and more CloudGuard users are choosing to also inspect East-West traffic, which flows laterally inside the cloud.
If a customer is already performing East-West traffic inspection, enhanced routing is a more elegant solution, which improves the integration between CloudGuard and AWS and simplifies operations for CloudGuard users.
Amazon VPC enhanced routing allows Independent Software Vendors (ISVs) such as Check Point to inspect traffic at a more granular level than ever before.
Prior to enhanced routing, customers were unable to inspect traffic within a VPC and could only redirect traffic to a CloudGuard Network Security gateway if it crossed a VPC boundary. By adding subnet specific routes, or modifying the local VPC route next-hop to point to CloudGuard, customers can inspect traffic crossing subnet boundaries within a VPC.
Additionally enhanced routing enables some unique architectural options with Gateway Load Balancer (GWLB). For example, when using a GWLB-centralized architecture, we are now able to collapse the Internet VPC functions into the Security VPC. Enhanced routing enables his scenario by permitting a more-specific route to AWS Transit Gateway (TGW) attachment subnets redirecting ALB traffic for inspection by GWLB/CGNS, which creates a symmetric traffic path on ingress GWLB scenarios. Eliminating a VPC simplifies the architecture and reduces TGW attachments (thus saving the customer money).
Check Point CloudGuard Network Security can now use enhanced routing to allow users to centralize security inspection with more flexibility and for additional traffic (including traffic that does not cross a VPC boundary).
If you are migrating to the cloud and evaluating cloud network security solutions, download the Buyer’s Guide to Cloud Network Security to understand:
- The top 10 considerations when evaluating and choosing a cloud network security solution
- An overview of Check Point CloudGuard and how it answers the top 10 considerations
- The relative benefits of the solutions provided by leading cloud providers and third-party security vendors
To see a deep-dive tech-talk about enterprise-scale deployment of CloudGuard Network Security in an AWS environment, click here.
For a similar deep-dive tech-talk about using CloudGuard with AWS GWLB, click here.
If you’d like to learn more about CloudGuard Network Security, please speak with your Check Point channel partner, your account Security Engineer or contact us.
To read the Forrester Total Economic Impact of CloudGuard Network Security, where Forrester interviewed a $10B+ US-based healthcare company who uses CloudGuard to secure their hybrid-cloud deployment and generated a 169% ROI, click here.
If you are in the process of planning your migration to the cloud, please contact us to schedule a demo, and a cloud security expert will help to understand your needs.
Do you want to read more about cloud security?
Download the Check Point cloud security blueprint documents:
- This document introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
- This document explains the blueprint architecture, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.
- This document provides reference architectures for implementing the cloud security blueprint.
If you have any questions, please contact your local Check Point account representative or partner, or contact us here.