Additional Benefits of Centralized Egress

Managed AWS Firewall Rules

By using AWS Network Firewall, we can take advantage of managed AWS firewall rule groups, which gives us active threat defense, at least on the egress. This means that the fight against malware (for instance, a compromised NPM module reaching out to a Korean botnet) is much easier to stop.

North/South Security

At least from an egress perspective, we can now drop any custom or AWS-managed rule group onto the firewall at a moment's notice, and filter traffic destined to the Internet.

Firewall Logging

We can capture alerts and VPC flows of network conversations that trip firewall rules. We currently send flows and alerts to AWS Cloudwatch.

DNS Filtering

Today, in our OPENLANE AWS Organization, we have over 125 separate AWS accounts. I've made efforts to get all of the networks in these accounts to forward their DNS queries to our central DNS resolvers:

This conceptual network follows the same DNS architecture: all DNS queries hit Route 53 Resolvers in the egress VPC. This means that we can impose DNS firewall rules on one VPC per region, and automatically block DNS queries for known botnets, using AWS's managed domain lists. If a hacker compromises a Java library, and we're concerned that that Java library will exfiltrate data to a server in Greece, chances are AWS will already have blocked it in their managed list.

We can also maintain our own domain lists to protect against sites we know to be hostile, but we aren't sure AWS is blocking.

DNS firewall also protects against attacks where hackers try to tunnel network protocols through DNS.

DNS Query Logging

Just like we send Network Firewall logs to Cloudwatch, we can also log all DNS queries on the egress VPC.

Three NAT Gateways Per Region. That's It.

That's really it. We have hundreds of NAT gateways. We can reduce that count to three per region (less, even! But three per VPC, with one VPC per region, is a safe minimum).

Psst. I have a résumé, it's available here.