I have a product that I manage the network services of that has currently been migrated to AWS. Without getting too much into details from a OPSec Perspective, the product has about 200 servers that are internet facing with 0 firewall control.
Because AWS manages elastic (public IPs) for you, you essentially just get a range of public IP's. Of these 200 servers, none of their public IP's are in the same subnet.
I've PoC'ed a Palo Alto to provide firewall for north south traffic, but I just can't seem to figure out how to route this (myriad of 200 individual IP's) to the firewall from the internet. There's boatloads of documentation, but all seem to really grace over this fact. If you were to have 1 or 2 webservers that can sit behind a public load balancer all seems to be okay, but just the general idea of NAT'ing your public IP's to servers internal has seemed to be lost with cloud infrastructure.
Any idea's?
Again, routing traffice outbound to the internet is fairly easy to get through the firewall, but:
Let's just say for the sake of simplicity: I have 200 servers that I need to SFTP to from the internet. How do I set that up in AWS given all their public IP's are scattered through IP ranges, to route through my virtual Palo?
No comments:
Post a Comment