Sunday, August 16, 2020

Firewall that can handle this multi-tenant scenario?

ADC's are probably the appropriate fit here, but I'm hoping to find a FW that can do the job so we can also gain features like IPS, L7 control, file upload sandboxing/detonation, etc.

Within Azure, I'm looking for an HA appliance that can permit VNet01-02 to communicate with Hub simultaneously. I cannot control/access 01-02 and I cannot change the overall design. I also cannot do 1:1 NATing that seemingly all firewalls require for a situation like this, e.g. VNet01 10.10.0/23 NATs to 10.110.0/23 and VNet02 NATs to 10.210.0/23

ADCs like F5/A10 can handle this easily via NAT overload, but I'm open to really any scalable idea.

Surprisingly I think Sonicwall of all people can do it via very explicit ACL/policy forwarding rules based on interface (if SRC=tunnel1/10.10.0/23 then permit to 172.30.0.1:80 / if SRC = tunnel2/10.10.0/23 then permit to 172.30.0.2:80) but sonicwall doesn't offer HA in Azure. Building on that example, VNet01-02 will never need to hit the same IP/port within Hub if that helps at all. That is, 172.30.0.1 will be reserved for VNet01's web servers, 172.30.0.2 = VNet02's web servers and never their paths shall cross.

/u/OhMyInternetPolitics had a really good idea of "Setup your shared application to use a unique set of IPs (chewing up a few public IPs isn't a terrible idea here), and leak them into VRFs" but I have to do a lot of reading as to whether that will play nice with all Azure's weird network limitations.

https://imgur.com/a/cQeG6l5

thank you



No comments:

Post a Comment