Our customer was faced with the challenge of providing access from the Internet at a central transfer point within its productive AWS account environments, analyzing the incoming traffic via web application firewall rules and then forwarding the access requests to the backend systems, which exclusively be deployed in private Virtual Private Cloud (VPC).
Proposed solution & architecture
Working closely with our customer, we have developed a solution to overcome these challenges. The implementation included building dedicated firewall and Internet access VPCs to decouple incoming Internet access from the productive backend systems.
The incoming requests are then transferred via the external application load balancer to the processing backend systems in the private network environments via the implementation of AWS Private Links.
AWS Private Links are defined via two components. Firstly, via the AWS Endpoint. This is a network interface in a defined subnet of the firewall VPC. AWS Security groups define which communication ports, in our case port 443, are accepted. The source is the web application firewall in the firewall VPC.
The second component is the associated VPC Endpoint Service. This provides a unique communication relationship to an AWS service within and/or across AWS accounts.
In our scenario, we address AWS Network Loadbalancers in the private networks and across the account. This solution offers the great advantage that communication relationships are mapped at the application level (Layer 7) and not, as with classic connections via Layer 4 (Protocol Transport Layer), since in this case a 1-to-1 routing connection always has to be set up.
Advantages for our customer
Successful implementation results in improved overall security and efficiency of the customer's cloud infrastructure.
Consolidation of external access points
The new architecture enabled consolidation of external access points, simplifying management and increasing security. Communication relationships can be managed and established at the application level anywhere within the AWS environments.
Increased network security
Isolation of communications through dedicated firewall and Internet access VPCs results in a significant improvement in network security. Routing connections between the firewall and private network environments are no longer necessary with the setup of AWS Private Links.
Implementing one-to-many communication at the application level
The solution enabled efficient and secure one-to-many communication at the application level, increasing scalability and performance.
The successful implementation of Network Private Link not only improved our customer's network security, but also increased efficiency. Through close collaboration and successful project management, a tailor-made solution could be implemented that meets our customer's specific requirements and challenges. This experience confirms our expertise in developing advanced solutions for complex cloud infrastructures.