FireEye Stories Blog

Amazon VPC Ingress Routing – Reducing Deployment Complexity for Network Security Customers

FireEye announced the availability of virtual Network Security (vNX) on Amazon Web Services (AWS) at our Cyber Defense Summit in early October 2019. While many customers are already using this product, one of the key pieces of feedback that was received was “the ability to deploy NX in AWS is a great advantage, but it would be great if we did not need an additional NAT gateway.” AWS heard this feedback from a wide variety of customers and today at AWS re:Invent 2019 announced Amazon Virtual Private Cloud (Amazon VPC) Ingress Routing.

Amazon VPC Ingress Routing is a service that helps customers simplify the integration of network and security appliances within their network topology. With Amazon VPC Ingress Routing, customers can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require within their Amazon VPC.

Amazon VPC Ingress Routing will address the following use cases:

  1. Screen all external traffic: Customers can choose to route incoming traffic from the internet originating from on-premises environments through security appliances of their choice, such as a firewall, before the traffic reaches the intended AWS subnets and workloads.
  2. Intercept traffic flowing into different subnets with separate appliances: Amazon VPC Ingress Routing allows customers to segment the incoming traffic based on the subnets to which these packets are destined and route these packets through appropriate network appliances. For example, a customer can enter routes to direct traffic to subnet A to first go through an advanced firewall, traffic to subnet B to pass through intrusion detection, traffic to subnet C to pass through WAN acceleration, etc.

Amazon VPC Ingress Routing greatly simplifies deployment for running FireEye Network Security inline in AWS. It removes the need for an additional third party NAT instance, allowing end users to enter their routing directly in the VPC, and providing the ability to route different kinds of traffic to specific devices for inspection (for example, routing certain destinations to FireEye SmartVision for lateral movement detection). All-in-all, ingress routing is just another step AWS is taking to ensure that end users can flexibly inspect the traffic flowing through their cloud workloads.