Hello,
I am helping to move an application stack to AWS and trying to figure out how to maintain reasonable security posture while getting out of IP management business. I am mostly concerned with internal communication, as the external one is reasonably well hardened with WAF and other existing services.
Currently the setup is traditional - you have services that are exposed on a specific IP, that IP is in DNS, the firewall has rules allowing traffic to communicate to this IP via specific port. I want to not have to deal with the IPs in AWS at all, rather just assign a FQDN to the service and specify in rules that this FQDN can be accessed by system X on port Y. And while the IP of the service in AWS is not going to change often, it still will change and I don't want that change to cause an outage. To further complicate matters, there will be multiple VPCs and multiple accounts involved in the communication.
So my question is - are there any good solutions out there that can filter traffic between different VPCs/accounts connected via transit gateways based on the FQDN? Or is that a pipe dream and I should either lock down IPs or figure out other methods of controlling traffic flows?
Thanks!
No comments:
Post a Comment