SlideShare a Scribd company logo

Automated VPC migration into centralized inspection architecture with AWS Gateway Load Balancer

Download as PPTX, PDF
AWS Chicago, profile picture
AWS Chicago

AWS Community Day Midwest 2025 Ioannis Koustoudis Ronak Trivedi Hrishikesh Ghodke Automated VPC migration into centralized inspection architecture with AWS Gateway Load Balancer Centralized inspection architecture with AWS Gateway Load Balancer and Security VPCs with firewall appliances rules. Automation tools to migrate existing 120+ VPCs into inspection. Observability including in-house packet drop monitoring tool, DataDog alerts and test automation. Firewall access maps cross-checked with VPC flow logs to determine policy gaps.

Technology
1 of 9
Download to read offline
1
2
3
4
5
6
7
8
9
©2025 Discover The opinions expressed in this presentation are those of the presenter, in their individual capacity, and not necessarily those of Discover. Automated VPC migration into centralized inspection architecture with AWS Gateway Load Balancer Ioannis Koustoudis, Pr. Infrastructure Engineer at DFS Hrishikesh Ghodke, Infrastructure Engineer at DFS Ronak Trivedi, Cybersecurity Engineer at DFS
©2025 Discover ©2025 Discover Agenda • Moving into centralized inspection architecture with AWS GWLB • Helping our internal customers to understand their AWS VPC networking patterns • Automation to migrate all the AWS VPCs into inspection • Building firewall policy based on VPC network patterns • Building tools: ‒ To automate the creation of policies ‒ To detect in real time packet drops from firewall appliances
©2025 Discover ©2025 Discover Moving into centralized inspection architecture with AWS GWLB • All traffic between VPCs in same region is inspected by virtual firewall appliances, with the help of AWS GWLB inside “Inspection” VPC. • Traffic from source VPC will be led to ”Inspection” VPC and, if it is allowed, by FWs will be forwarded to the destination VPC. • Response coming back will also take the path to “Inspection” VPC before finding the final destination. • Firewall policies inside appliances based on src/dst addresses and ports will decide to “allow” or “drop” the traffic. • AWS CloudWatch Insights to share VPC flow logs
©2025 Discover Automation to migrate all the AWS VPCs into inspection • We built a pipeline to automate migration of VPCs into inspection. You could select: ‒ Which VPC to migrate into inspection. ‒ Which TGW route tables to update in parallel. ‒ Whether to change TGW route table association or not.
©2025 Discover ©2025 Discover Packet drop monitor is a homegrown deep packet observability solution that analyzes network traffic logs to generate real-time notifications for our internal customers. Real-time Notifications This monitoring solution sends real-time notifications to the internal AWS customer for any network traffic/packet drops from their AWS Virtual Private Cloud (VPC) at 3rd party firewalls within AWS. AWS Native & Highly Available Solution uses AWS-native services which are proven to be highly available and scalable. Cost Efficient The cost aware design saves the company money by utilizing a secure/efficient AWS backbone network instead of sending data over Transit Gateways. Packet Drop Monitor
©2025 Discover packet-drop-monitor Kinesis Data Stream Security VPC Private subnet Security Group AWS Vector CloudWatch Logs Subscription to Kinesis Packet-drop-lambda Lambda Function with Kinesis trigger Send Email Lambda Function Public Cloud API packet-drop-metadata DynamoDB Table sqs-send-email queue Read/Write Read Shared Services Account AFS1 Region 2 3 4 5 6 7 8 begin_time src_ip src_port dest_ip dest_port action device_name 2024/06/19 08:56:51 10.10.x.x 54948 10.20.x.x 443 drop fw-prod-af-south-1-01 1 ©2025 Discover 3rd party Firewalls
©2025 Discover Building firewall policy based on VPC network patterns Access Map Objects objects: address_group1: - 10.10.10.1 address_group2: - 10.10.10.2 service_group1: - port: 443 - protocol: tcp Why Access Maps? • Shift-left ownership • Visibility of owned access • JSON data structures (Security- as-Code) • Automation capabilities Access Map Policies policies: policy_rule1: source: - address_group1 destination: - address_group2 service: - service_group1
©2025 Discover Firewall Policy Automation • Automated comparison between VPC flow logs and firewall access maps • Automated staging and implementation of firewall policy
©2025 Discover Thank you!

More Related Content

Similar to Automated VPC migration into centralized inspection architecture with AWS Gateway Load Balancer (20)

PDF
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
Amazon Web Services Korea
 
PDF
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Amazon Web Services Korea
 
PPTX
Introduction to AWS VPC, Guidelines, and Best Practices
Gary Silverman
 
PPTX
Monitorización de seguridad y detección de amenazas con AWS
javier ramirez
 
PDF
Reach: Solving AWS Networking Problems Faster
DanLuhring
 
PDF
Aws Architecture Fundamentals | Dallas
Nicole Maus
 
PPTX
AWS Security Architecture - Overview
Sai Kesavamatham
 
DOCX
Virtual private cloud fundamentals
Sai Viswanath
 
PDF
AWS BaseCamp: AWS Architecture Fundamentals
Nicole Maus
 
PPTX
Landing zones: Creating a Foundation for Your AWS Migrations
Ali Asgar Juzer
 
PDF
How our Cloudy Mindsets Approached Physical Routers
Steffen Gebert
 
PDF
Monitoring connectivity to AWS
ThousandEyes
 
PDF
AWS reinvent 2019 recap - Riyadh - Network and Security - Anver Vanker
AWS Riyadh User Group
 
PPTX
Networking Best Practices for Your Serverless Applications
Chris Munns
 
PPTX
Winning Governance Strategies for the Technology Disruptions of our Time
CloudHesive
 
PDF
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
Vladimir Simek
 
PPTX
Shashi Raina [AWS] & Al Sargent [InfluxData] | Build Modern Monitoring with I...
InfluxData
 
PPTX
Modernizing your AWS Deployment
CloudHesive
 
PDF
AWS Architecture Fundamentals - Houston
Nicole Maus
 
PPTX
Cloud Migration, Application Modernization, and Security
Tom Laszewski
 
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
Amazon Web Services Korea
 
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Amazon Web Services Korea
 
Introduction to AWS VPC, Guidelines, and Best Practices
Gary Silverman
 
Monitorización de seguridad y detección de amenazas con AWS
javier ramirez
 
Reach: Solving AWS Networking Problems Faster
DanLuhring
 
Aws Architecture Fundamentals | Dallas
Nicole Maus
 
AWS Security Architecture - Overview
Sai Kesavamatham
 
Virtual private cloud fundamentals
Sai Viswanath
 
AWS BaseCamp: AWS Architecture Fundamentals
Nicole Maus
 
Landing zones: Creating a Foundation for Your AWS Migrations
Ali Asgar Juzer
 
How our Cloudy Mindsets Approached Physical Routers
Steffen Gebert
 
Monitoring connectivity to AWS
ThousandEyes
 
AWS reinvent 2019 recap - Riyadh - Network and Security - Anver Vanker
AWS Riyadh User Group
 
Networking Best Practices for Your Serverless Applications
Chris Munns
 
Winning Governance Strategies for the Technology Disruptions of our Time
CloudHesive
 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
Vladimir Simek
 
Shashi Raina [AWS] & Al Sargent [InfluxData] | Build Modern Monitoring with I...
InfluxData
 
Modernizing your AWS Deployment
CloudHesive
 
AWS Architecture Fundamentals - Houston
Nicole Maus
 
Cloud Migration, Application Modernization, and Security
Tom Laszewski
 

More from AWS Chicago (20)

PPTX
Kathie Kinde Clark - Elevate Your Professional Footprint: LinkedIn Masterclass
AWS Chicago
 
PDF
Jason Anderson From Dirt Roads to Highways: Simplifying DevOps and Cloud Inf...
AWS Chicago
 
PDF
Aman Sardana and Vijay Kumar Soni - Navigating Hybrid Cloud Challenges for ...
AWS Chicago
 
PDF
Ben Blair Operating Safely in a Vibe Coding World
AWS Chicago
 
PPTX
Joseph Morotti Enhancing customer experience through Amazon Connect and Gene...
AWS Chicago
 
PPTX
Craig Johnson When VPCs Attack: Real-Life Cloud Networking Fails (and Fixes)
AWS Chicago
 
PDF
Peter Sankauskas Access Denied: Understanding & Debugging AWS IAM
AWS Chicago
 
PDF
Shuen Mei Parth Sharma Boost Productivity, Innovation and Efficiency wit...
AWS Chicago
 
PDF
Bob Fornal The Impact of Testing on a DevOps Pipeline
AWS Chicago
 
PDF
Jason Butz Chaos Engineering with FIS and Lambda Functions
AWS Chicago
 
PDF
Julia Furst Morgado The Lazy Guide to Kubernetes with EKS Auto Mode + Karpenter
AWS Chicago
 
PDF
Bob Fornal - Active Career Management AWS Community Day Midwest 2025
AWS Chicago
 
PDF
Edwin Moedano Monitoring and Observability of Lambdas with Cloudwatch and Po...
AWS Chicago
 
PPTX
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
PPTX
Nathan Hiscock Architecting secure, scalable, cost-efficient computer vision...
AWS Chicago
 
PDF
AWS Community Day Midwest 2025 Julia Furst Morgado The Lazy Guide to Kuberne...
AWS Chicago
 
PDF
Steven Seaney - Simplifying and Streamlining AWS Control Tower Deployments
AWS Chicago
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PPTX
Paul Chin Jr. Data Gone in 60 Seconds: A Serverless ETL Heist
AWS Chicago
 
PPTX
Abubakar Abdikadir - Driving AWS Savings Through Visibility and Automation
AWS Chicago
 
Kathie Kinde Clark - Elevate Your Professional Footprint: LinkedIn Masterclass
AWS Chicago
 
Jason Anderson From Dirt Roads to Highways: Simplifying DevOps and Cloud Inf...
AWS Chicago
 
Aman Sardana and Vijay Kumar Soni - Navigating Hybrid Cloud Challenges for ...
AWS Chicago
 
Ben Blair Operating Safely in a Vibe Coding World
AWS Chicago
 
Joseph Morotti Enhancing customer experience through Amazon Connect and Gene...
AWS Chicago
 
Craig Johnson When VPCs Attack: Real-Life Cloud Networking Fails (and Fixes)
AWS Chicago
 
Peter Sankauskas Access Denied: Understanding & Debugging AWS IAM
AWS Chicago
 
Shuen Mei Parth Sharma Boost Productivity, Innovation and Efficiency wit...
AWS Chicago
 
Bob Fornal The Impact of Testing on a DevOps Pipeline
AWS Chicago
 
Jason Butz Chaos Engineering with FIS and Lambda Functions
AWS Chicago
 
Julia Furst Morgado The Lazy Guide to Kubernetes with EKS Auto Mode + Karpenter
AWS Chicago
 
Bob Fornal - Active Career Management AWS Community Day Midwest 2025
AWS Chicago
 
Edwin Moedano Monitoring and Observability of Lambdas with Cloudwatch and Po...
AWS Chicago
 
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
Nathan Hiscock Architecting secure, scalable, cost-efficient computer vision...
AWS Chicago
 
AWS Community Day Midwest 2025 Julia Furst Morgado The Lazy Guide to Kuberne...
AWS Chicago
 
Steven Seaney - Simplifying and Streamlining AWS Control Tower Deployments
AWS Chicago
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
Paul Chin Jr. Data Gone in 60 Seconds: A Serverless ETL Heist
AWS Chicago
 
Abubakar Abdikadir - Driving AWS Savings Through Visibility and Automation
AWS Chicago
 
Ad

Recently uploaded (20)

PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PPTX
The Yotta x CloudStack Advantage: Scalable, India-First Cloud
ShapeBlue
 
PPTX
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
PDF
Agentic Artificial Intelligence (AI) and its growing impact on business opera...
Alakmalak Technologies Pvt. Ltd.
 
PDF
Novus Safe Lite- What is Novus Safe Lite.pdf
Novus Hi-Tech
 
PDF
visibel.ai Company Profile – Real-Time AI Solution for CCTV
visibelaiproject
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PPTX
Simplifying End-to-End Apache CloudStack Deployment with a Web-Based Automati...
ShapeBlue
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
OpenInfra ID 2025 - Are Containers Dying? Rethinking Isolation with MicroVMs.pdf
Muhammad Yuga Nugraha
 
PDF
How Current Advanced Cyber Threats Transform Business Operation
Eryk Budi Pratama
 
PDF
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
PDF
2025-07-15 EMEA Volledig Inzicht Dutch Webinar
ThousandEyes
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
UiPath vs Other Automation Tools Meeting Presentation.pdf
Tracy Dixon
 
PDF
Arcee AI - building and working with small language models (06/25)
Julien SIMON
 
PPTX
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PDF
HR agent at Mediq: Lessons learned on Agent Builder & Maestro by Tacstone Tec...
UiPathCommunity
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
The Yotta x CloudStack Advantage: Scalable, India-First Cloud
ShapeBlue
 
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
Agentic Artificial Intelligence (AI) and its growing impact on business opera...
Alakmalak Technologies Pvt. Ltd.
 
Novus Safe Lite- What is Novus Safe Lite.pdf
Novus Hi-Tech
 
visibel.ai Company Profile – Real-Time AI Solution for CCTV
visibelaiproject
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Simplifying End-to-End Apache CloudStack Deployment with a Web-Based Automati...
ShapeBlue
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
OpenInfra ID 2025 - Are Containers Dying? Rethinking Isolation with MicroVMs.pdf
Muhammad Yuga Nugraha
 
How Current Advanced Cyber Threats Transform Business Operation
Eryk Budi Pratama
 
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
2025-07-15 EMEA Volledig Inzicht Dutch Webinar
ThousandEyes
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
UiPath vs Other Automation Tools Meeting Presentation.pdf
Tracy Dixon
 
Arcee AI - building and working with small language models (06/25)
Julien SIMON
 
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
HR agent at Mediq: Lessons learned on Agent Builder & Maestro by Tacstone Tec...
UiPathCommunity
 
Ad

Automated VPC migration into centralized inspection architecture with AWS Gateway Load Balancer

  • 1. ©2025 Discover The opinions expressed in this presentation are those of the presenter, in their individual capacity, and not necessarily those of Discover. Automated VPC migration into centralized inspection architecture with AWS Gateway Load Balancer Ioannis Koustoudis, Pr. Infrastructure Engineer at DFS Hrishikesh Ghodke, Infrastructure Engineer at DFS Ronak Trivedi, Cybersecurity Engineer at DFS
  • 2. ©2025 Discover ©2025 Discover Agenda • Moving into centralized inspection architecture with AWS GWLB • Helping our internal customers to understand their AWS VPC networking patterns • Automation to migrate all the AWS VPCs into inspection • Building firewall policy based on VPC network patterns • Building tools: ‒ To automate the creation of policies ‒ To detect in real time packet drops from firewall appliances
  • 3. ©2025 Discover ©2025 Discover Moving into centralized inspection architecture with AWS GWLB • All traffic between VPCs in same region is inspected by virtual firewall appliances, with the help of AWS GWLB inside “Inspection” VPC. • Traffic from source VPC will be led to ”Inspection” VPC and, if it is allowed, by FWs will be forwarded to the destination VPC. • Response coming back will also take the path to “Inspection” VPC before finding the final destination. • Firewall policies inside appliances based on src/dst addresses and ports will decide to “allow” or “drop” the traffic. • AWS CloudWatch Insights to share VPC flow logs
  • 4. ©2025 Discover Automation to migrate all the AWS VPCs into inspection • We built a pipeline to automate migration of VPCs into inspection. You could select: ‒ Which VPC to migrate into inspection. ‒ Which TGW route tables to update in parallel. ‒ Whether to change TGW route table association or not.
  • 5. ©2025 Discover ©2025 Discover Packet drop monitor is a homegrown deep packet observability solution that analyzes network traffic logs to generate real-time notifications for our internal customers. Real-time Notifications This monitoring solution sends real-time notifications to the internal AWS customer for any network traffic/packet drops from their AWS Virtual Private Cloud (VPC) at 3rd party firewalls within AWS. AWS Native & Highly Available Solution uses AWS-native services which are proven to be highly available and scalable. Cost Efficient The cost aware design saves the company money by utilizing a secure/efficient AWS backbone network instead of sending data over Transit Gateways. Packet Drop Monitor
  • 6. ©2025 Discover packet-drop-monitor Kinesis Data Stream Security VPC Private subnet Security Group AWS Vector CloudWatch Logs Subscription to Kinesis Packet-drop-lambda Lambda Function with Kinesis trigger Send Email Lambda Function Public Cloud API packet-drop-metadata DynamoDB Table sqs-send-email queue Read/Write Read Shared Services Account AFS1 Region 2 3 4 5 6 7 8 begin_time src_ip src_port dest_ip dest_port action device_name 2024/06/19 08:56:51 10.10.x.x 54948 10.20.x.x 443 drop fw-prod-af-south-1-01 1 ©2025 Discover 3rd party Firewalls
  • 7. ©2025 Discover Building firewall policy based on VPC network patterns Access Map Objects objects: address_group1: - 10.10.10.1 address_group2: - 10.10.10.2 service_group1: - port: 443 - protocol: tcp Why Access Maps? • Shift-left ownership • Visibility of owned access • JSON data structures (Security- as-Code) • Automation capabilities Access Map Policies policies: policy_rule1: source: - address_group1 destination: - address_group2 service: - service_group1
  • 8. ©2025 Discover Firewall Policy Automation • Automated comparison between VPC flow logs and firewall access maps • Automated staging and implementation of firewall policy

Editor's Notes

  • #7: Rob 3min – 11:15