Problem Statement:
Traffic heading to VPC/VNets, whether E-W or egress/ingress to/from internet may require inspection by NextGen Firewalls. As most of the traffic is encrypted, using NGFW for SSL Offloading has huge impact on NGFW inspection performance. Other requirements from enterprises for any service insertion entail:
Offload SSL Decryption from NGFW to F5 or similar SS-Offload specialized appliances that can do service chaining.
If there are multiple security appliances, you only want SSL decryption to happen once.
Transparently redirect interesting traffic to inspection.
Perform all of these tasks without manually changing route tables or complicated peerings/IPSec/BGP configurations.
There should be no NAT and true source IP needs to be visible.
It should be operationally simple for support teams to build, manage and support the architecture.
Solution:
Aviatrix platform offers Transit FireNet functionality that simplifies deployment of security focused appliances in datapath without requiring any manual route table management, SNAT or IPSec/BGP configuration. All the interesting traffic is redirected transparently to security appliance without any change needed at the applications.
Transit FireNet is a well documented feature available here: https://docs.aviatrix.com/HowTos/transit_firenet_faq.html
The same solution extends to F5 Big-IP Appliances in public cloud that can leverage Aviatrix Control and Dataplane to insert the F5 Big-IP appliance in path without any manual route table management.
Design Patterns:
SSL-O for Ingress from Internet
SSL-O for E-W and Egress to Internet
SSL-O in Multi-Cloud Environment with mixed requirements
There are few key resources that can help you understand and implement this solution.
Originally posted: https://community.aviatrix.com/t/p8h65hv/transparent-ssl-offloading-for-ngfw-ips-ids-dlp-service-insertion
Comentarios