Cloud Network Segmentation has become mandatory for better security & increased connectivity. It plays a critical role in securing & scaling cloud networks. With cloud segmentation enabled, sensitive data & core infrastructure are protected. The Cloud Network Segmentation is part of the zero-trust model.
The micro segmentation means everything and anything.. The purpose of this post is more to understand what are the different options available on the market to segment your cloud workloads @network level.
I am not in a position today to compare all the CSP's solutions; but only AWS. For this reason, I will give you my thoughts on the cloud network segmentation capabilities between AWS, Cisco Cloud ACI & Aviatrix..
- Azure FW similar to AWS FW
- AliBaba similar to AWS FW
- GCP with Filter rules
- OCI with DRG (like AWS TGW Routing Tables)
AWS solutions
AWS TGW Routing Tables
- Limitation of 20 AWS TGW RTs by default. This feature is not designed for advanced segmentation
- Playing with 'route propagation' leads to complicated design & deployment. Difficult to control the flows
- AWS intends to leverage AWS Cloud WAN for that purpose
AWS FW
- Creation of an 'Inspection VPC' where the AWS FW is configured
- Traffic must be redirected to the inspection VPC to be inspected
- AWS FW Policy is created: it blocks & filters the traffic passing through it and also monitors
- 2 AWS TGW Routing Tables must be created
- FW or Inspection TGW RT
- Spoke TGW RT
- TGW Association
- Spoke VPCs must be associated to Spoke TGW RT
- FW VPC must be associated to FW TGW RT
- TGW Route propagation
- Inspection VPC attachment must be propagated to Spoke TGW RT
- Spoke VPC attachments must be propagated to FW TGW RT
- AWS FW is a very expensive solution to achieve a single security requirement (eg. segmentation)
- Re-architecture must be done to deploy this solution; this can lead to migration strategy and unwanted downtime
- Overall added complexity when in place (flows path, multiple TGW RT, new Cloud Native constructs)
I will do a dedicated post on AWS FW later.
AWS Cloud WAN
- Segmentation is @VPC level
- AWS Cloud WAN is in Public Preview today and not in General Availability
- Centrally managed & globally distributed
- AWS Cloud WAN has the same limitations as AWS Transit Gateways (by default 20 segments only)
- Global Network: A single network that acts as the high-level container for your network objects. A Global Network can contain both AWS Transit Gateways and other Cloud WAN Core Networks. These are shown in the AWS Network Manager console.
- Core Network: The part of your global network managed by AWS. This includes Regional connection points and attachments, such as VPNs and VPCs. Your Core Network operates in the AWS Regions defined in your core network policy document.
- Core Network Policy (CNP): A single document that defines the global configuration of your Core Network. The Core Network Policy document defines how your VPCs, virtual private networks (VPNs), and existing AWS Transit Gateways connect to your network. The CNP also defines the routing policy and how traffic should be segmented across the network. Configure the CNP document via Visual Editor or JSON file.
- Attachments: Attachments are any connections or resources you want to add to your Core Network. Supported attachments include VPCs, VPNs, and TGW connect.
- Core Network Edge (CNE): The Regional connection point managed by AWS in each Region, as defined in the CNP. Every attachment connects to a Core Network Edge. The CNE uses similar technology to AWS TGW, but is managed by AWS.
- Network segments: Segments are dedicated routing domains, which means only attachments within the same segment can communicate by default. You can define segment actions that share routes across segments in the Core Network Policy. In a traditional network, a segment is like a globally consistent VRF table.
- Product not mature (no target date in General Availability)
- Relies too heavily on TGW thus same limitations: segmentation @TGW RT (which you want to avoid)
- Complex to configure (in particular Core Network Policies (Visual Editor or JSON)
- Configuration is time consuming (20mn for the first CNP to be created)
- AWS itself does not recommend it for Production workloads
- Very difficult to remove existing Global Network
- Different menus to configure (Network Manager & VPC)
Cisco Cloud ACI
- Comprehensive solution for simplified operations, automated network connectivity, consistent policy management & visibility for multiple on-prem DCs & public clouds (sic)
- I just see it as an extension of Cisco ACI (on prem) with a mapping between the CSP & Cisco ACI
- Tagging
- Centrally managed
- Only supports AWS & Azure
- Not designed for many VPCs (same number of segregated domains as per AWS TGW RT!!)
- Cisco Nexus Dashboard Orchestrator provides policy management, network policy configuration & application segmentation definition
- Licensing pricing is prohibitive!! (#subscriptions = #endpoints !!!!)
- Do you think Cisco Cloud ACI is a durable solution for the Cloud Networking?
- Would you like to pay for an ACI on-prem extension to the Cloud?
- Do you still want to maintain your existing Security Groups and many Route Tables for that purpose? (Cisco Cloud ACI does not remove the burden of these Cloud Native Constructs)
- Don't you think it is (after all) a central policy management relying on the CSP? What does it bring as added value?
AVIATRIX Segmentation
- Segmentation is @VPC level
- Centrally managed & globally distributed
- Obviously cloud agnostic
- Segmentation can be extended to on prem workloads
- 200 Security Domains can be configured (unmatched on the market)
- Simple, quick and efficient solution to deploy - honestly, you are just 2 clicks ago -- easy, & I like it! --
- Most powerful when it comes to numbers & capabilities
- Bundled into Aviatrix platform -- no hidden cost
- More granular control to come on segmentation with Aviatrix (today seamless NGFW insertion is also possible for more granularity)
very comprehensive
ReplyDeletethank you Maxime for this analysis, it is interesting. What about NSX here ? any possible comparison ?
ReplyDelete