How Should I Filter Egress Traffic From AWS VPCs?

As we all know, AWS follows a “Shared Responsibility Model” for security and compliance. This means that while AWS takes care of the security of the cloud itself, you are responsible for securing your data in the cloud. When it comes to securing Virtual Private Clouds (VPCs), cloud operations teams usually focus on blocking unwanted traffic coming in from the internet. However, traffic leaving a VPC and going out to the internet is often overlooked and left unfiltered.

This is usually because telling the difference between legitimate and illegitimate outbound internet requests can seem challenging. For user-initiated traffic, it often is. However, most workloads in the cloud are server-based applications and services. You might have users in DaaS services like Amazon Workspaces, but those are usually placed in their own VPCs. Because of this, the destinations of outbound traffic are generally known or can be identified easily. This means that filtering outbound traffic can and should be a top priority for your organization.

Why Should You Filter Egress Traffic?

Before diving into how to filter this type of traffic, let’s understand why it’s crucial. Many security experts agree that being hacked isn’t a question of if, but when. Encrypting data at rest is vital for protection. Yet, there are often one or more data sources left unencrypted, creating a vulnerability where your data can be at risk.

Without Any Filtering

Picture a situation where a hacker infiltrates your AWS environment. Without outbound controls, the hacker can easily transfer your data to any site. However, by filtering outbound egress traffic to permit only trusted sites and blocking all others, you can prevent the hacker from exfiltrating your data, even if they gain access.

Implementing an Inline FQDN Egress Filter

Egress filtering is essential for several reasons. The SANS Institute has an excellent article that explores this topic in detail, offering more insights and benefits of egress filtering.

Effective Ways to Filter Egress Traffic

So, where do you start? In the rest of this document, we will explore the different options available and discuss the pros and cons of each approach.

In this blog, we will explore three effective methods for managing outbound internet access within AWS Virtual Private Clouds (VPCs):

1. AWS Native Services – AWS NAT Gateway & AWS NAT Instances
2. Proxies, such as Squid Proxy
3. Third-party In-Line VPC NAT Gateways, such as Prosimo Gateway

AWS Native Services

AWS offers two options to enable your private subnet instances to connect to the internet: NAT Instances and NAT Gateways. It’s best to use the fully managed, highly available NAT Gateway service instead of NAT Instances.

When managing outbound traffic with these built-in services, you’ll need to use security groups and Network ACLs. One advantage of using a NAT instance is that security groups can be directly linked to NAT instances, which is not possible with the NAT gateway. If you choose the NAT gateway and want to control outbound traffic using security groups, you must link the EC2 instances behind the gateway with the security group.

One downside to using these native services is that security groups and Network ACLs require policies to be specified by IP address rather than domain name. At first, this might not seem like an issue. However, managing it over time can be challenging. While the list of allowed URLs or domains is usually short, the corresponding IP addresses are often not, and they can change without notice. Filtering outbound traffic by a list of expected domain names is a more effective way to secure outgoing traffic from a VPC.

When utilizing AWS NAT Gateways and NAT Instances, there are several additional factors to consider:

1. Limitations on Security Groups and ACLs: There exists a cap on the number of entries that can be included in security groups and ACLs.
2. Fault Tolerance: NAT gateways are inherently fault-tolerant, whereas NAT instances are not. For environments using AWS NAT instances, ensuring high availability requires manual failover management using tools like AWS Auto Scaling Groups and Lambda.
3. Infrastructure Replication: Setting up identical infrastructure for each VPC is necessary. CloudFormation templates can streamline this process, ensuring consistency across environments.

These considerations are crucial for effectively managing outbound traffic and maintaining robust network architecture within AWS environments.

Web Proxy

A web proxy is a common method employed by administrators to filter traffic effectively. In this approach, all traffic is directed through NAT instances equipped with a proxy engine, such as Squid. Although routing traffic to a proxy can be configured through OS modifications, our focus here is on utilizing a centralized proxy managed via AWS route tables.

Architecture with a Proxy

In this architecture setup, one or more NAT instances are deployed within a public subnet. Once set up, proxy software is installed and configured to permit traffic only from specified and trusted hostnames. With both the NAT instance and proxy configured, the final step involves updating the route table of each private subnet by adding a default route (0.0.0.0/0) that directs traffic to the Elastic Network Interface (ENI) of the proxy instance. This configuration must be replicated across every VPC requiring internet connectivity.

This method is effective for filtering HTTP/S traffic. However, it’s important to note that typical web proxies may not be capable of filtering traffic based on other protocols or ports.

Considerations for Implementing a Web Proxy Infrastructure in AWS

When implementing a web proxy approach with AWS, several key considerations should be taken into account:

1. AWS Route Table Limitations: AWS route tables can only direct traffic to a single ENI or instance ID for the default route (0.0.0.0/0). This requires manual management, including updating route tables in case of failures.
2. High Availability (HA) Requirements: Achieving true high availability involves additional setup using AWS services:
   • Utilize AWS Auto Scaling Group to ensure there are always one or more proxy instances available.
   • Implement AWS Lambda functions to automate the updating of route table default routes during failover events.
   • All monitoring and management tasks need to be performed manually, requiring proactive oversight.
3. Management of Proxy Software: Each VPC’s NAT instances hosting proxy software must be managed separately. This includes the time required for adding, testing, and modifying policies across different VPCs.
4. Instance Sizing: Properly sizing the proxy instances is crucial. Monitoring bandwidth usage closely and adjusting instance sizes as necessary ensures optimal performance.
5. Scalability Challenges: As the number of VPCs increases, so does the complexity of administering this solution. Managing multiple VPCs requires careful coordination and scaling efforts to maintain efficiency and effectiveness.

These considerations are essential for designing and maintaining a robust web proxy infrastructure in AWS, ensuring reliable traffic filtering and management across multiple VPC environments.

In-line VPC Gateway Filtering           

AWS partners like Prosimo offer solutions that effectively address the limitations of traditional VPC gateway options with cost-effective and straightforward management. Prosimo introduces an architecture that resembles a proxy solution but enhances it with a centralized console. This console enables comprehensive management, monitoring, alerting, and automatic failover capabilities, making it a robust choice for VPC gateway filtering.

Using Prosimo, you can deploy two Prosimo Gateways through the Prosimo Cloud Networking Console to ensure high availability (HA). This console serves as a centralized management interface for all egress filtering throughout your cloud setup, spanning AWS, Azure, and GCP. Unlike traditional methods involving text editors, policies are managed via a user-friendly web console. Once established, these policies can be easily shared across your entire cloud environment, streamlining management and ensuring consistency.

Key Considerations for Implementing with Prosimo

1. Centralized Management: Policies are managed centrally by the Controller. You can easily add, update, or remove rules using a web interface or through various automation options like Terraform, Python and Go SDKs, CloudFormation, and the REST API.
2. Tag-Centric Policies: Policies are tag-centric, allowing you to associate rules directly with a VPC by adding a tag to the gateway. Removing the tag removes the associated policies, all controlled from the central console.
3. Automatic Load Balancing: Load balancing between the Prosimo Gateways is automatic. When a new gateway is deployed, traffic is balanced automatically, ensuring efficient use of resources.
4. Automated Failover: Failover in case of faults is handled automatically with minimal downtime, managed centrally by the Controller. This ensures high availability and reliability of your network infrastructure.
5. Throughput Monitoring and Scaling: The Controller monitors throughput, allowing you to resize instances quickly and seamlessly without downtime as traffic demands change.
6. Automated VPC Setup: New VPCs can be set up automatically. Integration with CI/CD systems or through the web interface simplifies the process—install the gateway and attach existing policies or create new ones as needed.

Implementing these features with Prosimo provides a robust solution for managing and securing your cloud networking environment with ease and efficiency.

Conclusion

Filtering egress traffic from AWS Virtual Private Clouds (VPCs) is not just a best practice but a critical step in securing your cloud environment. As outlined in this blog, the shared responsibility model of AWS emphasizes your role in securing data within the cloud. While much attention is often given to inbound traffic, outbound traffic must not be overlooked.

By implementing effective egress filtering strategies such as AWS Native Services like NAT Gateways, proxies such as Squid Proxy, or advanced solutions like Prosimo Gateways, organizations can significantly enhance their security posture. These methods not only enable organizations to control outbound traffic based on trusted destinations but also mitigate the risk of data exfiltration in case of a security breach.

Choosing the right method depends on various factors such as scalability needs, management complexity, and desired level of automation. AWS Native Services offer simplicity and integration within the AWS ecosystem, while third-party solutions like Prosimo provide advanced features like centralized management and automated failover, ideal for large-scale deployments across multi-cloud environments.

To ensure your AWS VPCs are effectively secured, consider integrating a comprehensive cloud networking solution like Prosimo. Prosimo’s full stack cloud networking solution delivers consistent architecture across cloud boundaries, empowering organizations with robust control over their egress traffic policies. Protect your data and maintain compliance with ease by partnering with Prosimo for your cloud networking needs.