NGF0502 AWS Student Slides

Similar documents
AWS Reference Architecture - CloudGen Firewall Auto Scaling Cluster

Amazon Web Services Training. Training Topics:

Amazon Web Services (AWS) Training Course Content

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

LINUX, WINDOWS(MCSE),

Training on Amazon AWS Cloud Computing. Course Content

Introduction to Cloud Computing

Cloud Computing /AWS Course Content

Enroll Now to Take online Course Contact: Demo video By Chandra sir

CPM. Quick Start Guide V2.4.0

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

EdgeConnect for Amazon Web Services (AWS)

Virtual Private Cloud. User Guide. Issue 03 Date

SIOS DataKeeper Cluster Edition on the AWS Cloud

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

ActiveNET. #202, Manjeera Plaza, Opp: Aditya Park Inn, Ameerpetet HYD

AWS Remote Access VPC Bundle

Amazon Web Services Course Outline

Deploying Transit VPC for Amazon Web Services

How to Configure Route 53 for F-Series Firewalls in AWS

Elastic Load Balance. User Guide. Issue 14 Date

Pexip Infinity and Amazon Web Services Deployment Guide

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

AWS_SOA-C00 Exam. Volume: 758 Questions

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

AWS Solution Architect Associate

Sophos UTM on AWS. Quick Start Guide. Document date: Thursday, October 26, 2017

MongoDB in AWS (MongoDB as a DBaaS)

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Introduction to cloud computing

Cloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014

Pexip Infinity and Amazon Web Services Deployment Guide


Pass4test Certification IT garanti, The Easy Way!

CogniFit Technical Security Details

Confluence Data Center on the AWS Cloud

Pulse Connect Secure Virtual Appliance on Amazon Web Services

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Azure Compute. Azure Virtual Machines

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

Example - Configuring a Site-to-Site IPsec VPN Tunnel

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

CPM Quick Start Guide V2.2.0

Elastic Load Balance. User Guide. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

AWS Course Syllabus. Linux Fundamentals. Installation and Initialization:

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

Amazon AWS-Solutions-Architect-Professional Exam

AWS Solution Architect (AWS SA)

Getting Started with AWS Security

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

S U M M I T B e r l i n

Elastic Load Balancing

Filters AWS CLI syntax, 43 Get methods, 43 Where-Object command, 43

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

Check Point vsec for Microsoft Azure

25 Best Practice Tips for architecting Amazon VPC

HPE Digital Learner AWS Certified SysOps Administrator (Intermediate) Content Pack

Oracle WebLogic Server 12c on AWS. December 2018

How can you implement this through a script that a scheduling daemon runs daily on the application servers?

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

HOW TO PLAN & EXECUTE A SUCCESSFUL CLOUD MIGRATION

on Amazon AWS On-Demand Configuration Guide

Exam : Implementing Microsoft Azure Infrastructure Solutions

Deploy the Firepower Management Center Virtual On the AWS Cloud

WAF on Amazon AWS. On-Demand. Configuration Guide

About Intellipaat. About the Course. Why Take This Course?

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

Puppet on the AWS Cloud

Standardized Architecture for PCI DSS on the AWS Cloud

How to host and manage enterprise customers on AWS: TOYOTA, Nippon Television, UNIQLO use cases

AWS Integration Guide. Full documentation available at

Silver Peak EC-V and Microsoft Azure Deployment Guide

Amazon Virtual Private Cloud. Getting Started Guide

Elastic Load Balancing. User Guide. Date

JIRA Software and JIRA Service Desk Data Center on the AWS Cloud

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

Cloudera s Enterprise Data Hub on the AWS Cloud

Configuring AWS for Zerto Virtual Replication

Remote Desktop Gateway on the AWS Cloud

Web Cloud Solution. User Guide. Issue 01. Date

Microsoft Windows Server Failover Clustering (WSFC) and SQL Server AlwaysOn Availability Groups on the AWS Cloud: Quick Start Reference Deployment

AWS Well Architected Framework

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

VMware Cloud on AWS Operations Guide. 18 July 2018 VMware Cloud on AWS

AWS: Basic Architecture Session SUNEY SHARMA Solutions Architect: AWS

OnCommand Cloud Manager 3.2 Deploying and Managing ONTAP Cloud Systems

SAA-C01. AWS Solutions Architect Associate. Exam Summary Syllabus Questions

Creating your Virtual Data Centre

HySecure Quick Start Guide. HySecure 5.0

EXPRESSCLUSTER X 4.0. HA Cluster Configuration Guide for Amazon Web Services (Linux) April 17, st Edition

WAF on AWS Deployment Kit. On Demand. Configuration Guide

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

lab Highly Available and Fault Tolerant Architecture for Web Applications inside a VPC V1.01 AWS Certified Solutions Architect Associate lab title

Load Balancing FreePBX / Asterisk in AWS

Extending Enterprise Security to Multicloud and Public Cloud

Cloud Computing. Amazon Web Services (AWS)

ArcGIS 10.3 Server on Amazon Web Services

Transcription:

NextGen Firewall AWS Use Cases Barracuda NextGen Firewall F Implementation Guide Architectures and Deployments Based on four use cases Edge Firewall Secure Remote Access Office to Cloud / Hybrid Cloud Segmentation Firewall Implementation Guide Different Deployments depend on following criteria: High Availability Recovery time Outbound Gateway for instances in the VPC Scalability / Auto Scaling Connecting multiple VPCs in different regions Each use case includes Description of the problem solved Solution using one or multiple reference architectures 1

High Availability Depending on the AWS API, recovery takes between seconds to minutes High Availability Clusters must be sized for the expected peak load Auto Scaling Cluster Scales automatically matching to your workload An unhealthy instance will be terminated and replaced with a new one For outbound traffic you cannot use the firewall as outbound gateway Cold Standby Cluster Automatic replacement in case the firewall instance becomes unresponsive cost effective solution for securing the cloud resources. 2

Edge Firewall Secure access to the AWS cloud resources from the Internet Network security enforcement with firewall and IPS. Outbound gateway for cloud resources in the same VPC Edge Firewall NextGen Firewall High Availability Cluster with Route Shifting NextGen Firewall Auto Scaling Cluster NextGen Firewall Cold Standby Cluster Secure Remote Access Remote access for predictable or highly dynamic workloads. 3

Secure Remote Access NextGen Firewall Auto Scaling Cluster NextGen Firewall Cold Standby Cluster Office to Cloud / Hybrid Cloud Site to site VPN Default (outbound) gateway for cloud resources. Secure traffic on the Direct Connect MPLS line. The Importance of TINA VPN 4

The Importance of TINA VPN Office to Cloud / Hybrid Cloud NextGen Firewall Auto Scaling Cluster For TINA VPN tunnels no incoming load balancing is required NextGen Firewall Cold Standby Cluster must be sized to meet peek demand because it does not scale dynamically Segmentation Firewall for Single AZ VPCs Easy migrate on premises segementation firewalls to the cloud One network interface per subnet 5

Segmentation Firewall Limitations Cannot be deployed as a High Availability Cluster Only an single Availability Zone is supported The number of private subnets is limited by the number of network interfaces supported by the instance type. A route must be added to the client instances in the private subnets Segmentation Transit VPC Each application is hosted in a dedicated VPC VPCs are located in different regions Segmentation Transit VPC NextGen Firewall High Availability Cluster with Route Shifting NextGen Firewall Auto Scaling Cluster NextGen Firewall Cold Standby Cluster 6

Barracuda NextGen Firewall F NextGen Firewall AWS NextGen Firewall in AWS Basics Benefits of Cloud Computing Global footprint Go global in minutes Easy to use Scalability Stop guessing capacity Increase speed and agility Cost effectiveness Stop spending money on running and maintaining data centers Security of the Cloud AWS is responsible for the globally secure infrastructure. 7

Security in the Cloud Customers must protect their own content, platform, applications, systems, and networks. Basic Defense AWS architectures include services to improve application security Regions and Availability Zones Load balancing Security groups and Network Access Control lists AWS Security Concept 8

AWS Console Web based user interface to access, manage, and monitor AWS resources NextGen Firewall AWS Architecture Default gateway for instances in the VPC High Availability Auto Scaling NextGen Firewall HA AWS Architecture 9

NextGen Firewall HA AWS Architecture Traffic from the Internet via the ELB to the Firewall NextGen Firewall HA AWS Architecture Traffic from the client in the private subnet to the Internet NextGen Firewall ASG AWS Architecture 10

NextGen Firewall ASG AWS Architecture Traffic from the Internet via the ELB to the Firewall NextGen Firewall ASG AWS Architecture Traffic from the Firewall via the NAT GW to the Internet Deployment Methods AWS Console CloudFormation templates AWS CLI 11

CloudFormation Templates Key advantages Automated, repeated, and predictable deployment Runs several versions in parallel Easily traceable changes Complex setups easily deployed Create / Manage / Update JSON or YAML format Language independent, human readable Firewall Deployment with CloudFormation Create an IAM role for the firewall instance Accept the software terms for the NextGen Firewall You must agree to the Terms of Service in the AWS Marketplace once per account Deploying templates and updating stacks CREATE_COMPLETE indicates successful deployment AWS Command Line Interface A CLI tool for interacting with AWS services Available for Windows, Linux, and macos operating systems CLI prompts for: AWS access key ID AWS secret access key Use IAM access keys instead of AWS root user access keys 12

Firewall Log in via NextGen Admin Connect using the FQDN or EIP HA: Elastic IP of the primary firewall (xxx NGF1) ASG: The management ELB needs a listener on TCP 807 The default password is the instance ID of the first instance First time login forces a password change Images and License Types Images in the AWS Marketplace limited only by number of CPU cores BYOL Bring Your Own License PAYG Pay As You Go License Included in the public cloud license: Barracuda Energize Updates Barracuda Advanced Remote Access Images and License Types DNS resolution and access to Barracuda licensing servers are required during provisioning Licenses are bound to a unique ID A new license is required to launch a new instance No license change when starting and stopping an instance Some reference architectures require PAYG images 13

Cloud Integration Allows the firewall to interact with AWS APIs Log streaming to CloudWatch Custom metrics Route table rewrite Display Cloud Information Element IAM roles are recommended to authenticate against AWS APIs Log Streaming and Metrics Send log files via syslog streaming to AWS CloudWatch Custom metrics are collected Cloud Information Active firewall Cloud integration Instance type Public IP VPC Subnet IDs 14

Route Table Rewrite Rewriting the VPC route tables is necessary for High Availability The active firewall rewrites the AWS route table DNS server is required AWS Route Table Rewriting Primary firewall active AWS Route Table Rewriting Secondary firewall active 15

Barracuda NextGen Control Center Control Center Available only as a BYOL image Not available in a High Availability cluster All platform firewalls are centrally managed On premises hardware and virtual firewalls Public cloud firewalls The VIP network must be routed to the Control Center Modify AWS route table on the firewall subnet Control Center Deployment Deploy the Control Center in a private subnet 16

Direct Connect only Direct Connect with Traffic Intelligence Barracuda NextGen Firewall F NextGen Firewall AWS Reference Architectures 17

Deployment Classification Outbound Gateway High Availability Failover / Recovery time Scalability / Auto Scaling Multi NIC Route Shifting High Availability Cluster Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Route Shifting High Availability Cluster Yes Secs to min Yes No No Site-to-Site VPN Edge Firewall Secure Remote Access Route Shifting High Availability Cluster 18

Route Shifting High Availability Cluster Firewalls require public IP addresses during provisioning process Management IPs must be configured as static IP address Configure Cloud Integration for AWS route table rewriting Configure Services to Listen on the Loopback Interface Use Application Redirect access rules to redirect incoming traffic to the services Firewall as Outbound Gateway Forwarding traffic from the Internet to backend services Auto Scaling Cluster Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Auto Scaling Cluster Yes Instant No - Source NAT is required for inbound traffic Yes No Edge Firewall Secure Remote Access PAYG image must be used No Control Center 19

Auto Scaling Cluster ELB Sandwich with Auto Scaling Cluster Transit VPC with VPC Peering 20

Auto Scaling Cluster Behavior Automatically start or terminate instances to reach the desired auto scale group size Automatically replace unhealthy instances Three scaling methods Manual scaling Scheduled scaling Dynamic scaling Scheduled Scaling Cluster scales to a predefined number of instances according to the time of day or date One time event or reoccurring schedule Scheduled action executes within seconds Action may be delayed for up to two minutes from the scheduled start time Dynamic Scaling Amazon CloudWatch alarm actions automatically start or terminate instances Watch the value custom metric over a defined time period Perform scaling actions when thresholds are reached Custom Metrics Client to site and site to site VPN tunnels, SSL VPN clients Packets total, connections dropped, IPS hits Load, used memory, protected IPs And many more 21

NextGen Firewall Caveats Creating access rules Every packet source IP must be rewritten to the DHCP interface Backup and Restore PAYG license must be exported separately for later reuse Installing Hotfixes New instances in the cluster automatically install the same hotfixes Firmware update via CloudFormation stack update Replace the AMI in the parameter file of your template Cold Standby Cluster Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Cold Standby Cluster No Multiple minutes Yes No No Site-to-Site VPN Edge Firewall Secure Remote Access Only Elastic IP Cold Standby Cluster 22

Cold Standby Cluster Deployment Similar to Auto Scaling Cluster Auto Scaling group of one Single Elastic IP automatically attached via UserData script to active instance Failover occurs on termination of instance Manually, or because EC2 health checks fail New instance launched automatically Configuration pulled from S3 bucket EIP and routes are rewritten to use new instance Transit VPC Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Transit VPC Depending on reference architecture Secs to min Yes No No Site-to-Site VPN Edge Firewall Secure Remote Access Transit VPC 23

Transit VPC Deployment After deploying the template: Configure Elastic IP addresses to fail over with the virtual server Configure site to site VPN tunnels and BGP routing for each VPN gateway Segmentation Firewall for Single AZ VPCs Feature High Availability Failover Outbound Gateway Auto Scaling Multi NIC Use Cases Limitations / Requirements Segmentation Firewall for Single AZ VPCs No No Yes No Yes Edge Firewall Secure Remote Access One single Availability Zone Segmentation Firewall for Single AZ VPCs Multi NIC Segmentation Firewall Default outbound gateway for cloud resources in the same VPC 24

Segmentation Limitations Number of private subnets limited by number of firewall network interfaces A route must be added to the client instances in the private subnets Summary NextGen Firewall High Availability Cluster with Route Shifting Max. performance must be calculated NextGen Firewall Cold Standby Cluster Only one instance is up and running NextGen Firewall Auto Scaling Cluster Optimize your resources and costs Transit VPC using NextGen Firewall Acentral firewall hub for all your cloud resources in multiple locations Additional Resources https://campus.barracuda.com Product documentation Quick Start guides Additional product training (classroom, webinar, or distance learning) Certifications Visit us on https://www.facebook.com/barracudacampus https://twitter.com/barracudacampus 25

Thank You 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback