AWS networking configuration for a BlastShield™ Gateway

AWS networking configuration for a BlastShield™ Gateway

The BlastShield Gateway is an in-line protection instance that will be deployed in front of protected assets or applications. The gateway software may be deployed on x86 platforms or selected cloud infrastructures such as AWS.

Installation of a new gateway instance in AWS requires the following primary workflows:

  1. Create the AWS networking infrastructure.
  2. Create the BlastShield Gateway instance and launch it in AWS.
  3. Configure the AWS security groups.

This article covers step (1) and describes how to configure the AWS Virtual Private Cloud (VPC) networking infrastructure before installing a Blastshield Gateway. You must complete step (1) before starting step (2).

Preparation

The following requirements apply:

  • The BlastShield Orchestrator is running and configured
  • You have a working account for the Orchestrator with read/write access
  • You have a working AWS account and admin rights to add and configure VPC and EC2 instances
  • You have been granted permissions to use the BlastShield Gateway AMI

BlastShield Gateway network architecture in AWS

The networking configuration of the VPC requires two subnets, one for the protected LAN which will host the protect endpoints, and a second subnet for the public side connectivity. Route tables are created for the private and public side, and an internet gateway is created for external connectivity. Please refer to the diagram below for details.

Step 1: Create and configure a new Virtual Private Cloud (VPC) in AWS

Performed by the AWS administrator.

From the AWS console / VPC / Your VPCs:
Click on Create VPC.

Name the VPC.

Configure the super-subnet address block for the private network.  Enter a /16 network in the the IPv4 CIDR box.

Next, click on Create VPC.

The VPC is created.

Step 2: Create two subnets for the VPC

Performed by the AWS administrator.

Next, create two subnets in the VPC. One subnet is required for the protected endpoints and one subnet is required for the public internet.

From the VPC subnets menu choose Create subnet

Add the public side subnet. Enter your VPC instance id here.

Set the name and availability group.  Make sure both subnets are in the same availability group when you add the second subnet later.

Set this first subnet within the range you provisioned earlier when the VPC was created.  This first subnet is for the public/external side network.

Now, add a second subnet using the add-new button and configure the second subnet for the internal protected network, as follows:

  • Enter a name for the protected subnet.
  • Set the availability group.  Make sure this is in the same availability group as the first subnet.
  • Set the second subnet as the next network within the range you provisioned earlier when the VPC was created.  This second subnet is for the protected / internal side.

Step 3: Create and configure an internet gateway

Performed by the AWS administrator.

From the AWS console / Virtual Private Cloud / Internet Gateways,  choose Create internet gateway.

The internet gateway will be used to connect the public subnet to the outside world.

Step 4: Attach the internet gateway to the VPC

Performed by the AWS administrator.

From the  AWS console / Virtual Private Cloud / Internet Gateways /, right click on your internet gateway and choose the Attach to VPC option.

From the Attach to VPC dialog, select the VPC name to be attached.

Click Attach Internet Gateway.

The state of the internet gateway should now show as Attached.

Step 5: Configure the route table for the public side

Performed by the AWS administrator.

From the AWS console / Virtual Private Cloud / Route Tables:

  • Select the route table that was created with the VPC.
  • Name the route table if it is not already named.
  • Select the Subnet Associations tab from the bottom window and click on Edit subnet associations.

The Edit subnet associations window will open.

Select the BlastShield Public Subnet and click on Save.

The subnet is now visible in the Subnet Associations window.

From the AWS console / Virtual Private Cloud / Route Tables:

  • Select the BlastShield Public route table.
  • Chose the Routes tab at the bottom window.
  • Click Edit routes.

Add a default route and connect it to the internet gateway created earlier, then click Save routes.

Step 6: Add a new route table for the protected side

Performed by the AWS administrator.

From AWS console / Virtual Private Cloud / Route Tables:

  • Select Create route table.
  • Enter a Name for the route table.
  • Select the VPC  for the route table.
  • Click Create.
  • The new routing table can now be seen on the route tables console.

Select the Subnet Associations tab from the bottom window.

  • Click on Edit subnet associations.
  • The Edit subnet associations window will open.
  • Select the BlastShield Protected Subnet and click on Save.

You will add routes to the protected network route table after the BlastShield Gateway EC-2 instance has been launched. Launching the Gateway instance in AWS is described in a separate article.

This article is always evolving and being updated when our product is being developed. Be sure to keep track of this article so you'll stay updated with the last version of it!