Introduction
CADS service with its premium entitlement has features like WAF and BOT to secure and protect your application from security threats. This guide will help you to deploy AWS firewall with CADS service. This is recommended if you have a CADS service Advance entitlement.
Requirements
Deploy a data center and create NetScaler infrastructure on AWS cloud. Configure network settings in this public cloud data center with AWS firewall in a way that is completely transparent to the application users.
Following are the key requirements:
-
Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC.
-
All end user, Nerscaler management, traffic should route through AWS network firewall.
Pre-Requisites
Following tasks are expected to be completed for using this solution and successful integration.
-
AWS console access with permission to configure AWS Network Firewall and network routes
Architecture
For the distributed deployment model, we deploy AWS Network Firewall into each VPC which requires protection. Each VPC is protected individually. Each VPC does not require connectivity to any other VPC or AWS Transit Gateway. Each AWS Network Firewall can have its own firewall policy or share a policy through common rule groups (reusable collections of rules) across multiple firewalls. This allows each AWS Network Firewall to be managed independently, which reduces the possibility of misconfiguration and limits the scope of impact.
Figure 1: AWS Network Firewall Distributed deployment in each protected VPC
Depending on the workload and traffic pattern, there are a number of AWS Network Firewall deployment models to consider. In the following section we will see a deployment model to protect traffic between NetScaler’s client subnet and IGW.
Figure2. AWS Network Firewall is deployed to inspect traffic between the internet and NetScaler/NAT gateway
| Component | Location | Remarks |
| ADS service control plane | Citrix Cloud / PoP | Deployed in secure Citrix owned PoP network outside of customer VPC |
| ADS Service Agent | VPC-n AZ-n | For communication with NetScaler Service control plane |
| Autoscaling NetScaler | VPC-n AZ-n | NetScaler data plane |
| VPC Connectivity | Via AWS Firewall | |
| Users | Via AWS Firewall | NATted External application users |
| Back end server group | AZ-n | Group of EC2 Instances forming Autonomous System (AS) |
Configuration:
-
Create an AWS Firewall and share Firewall endpoint ENI (in this example: vpce-0aa4d4642c13726dc)
-
Point the ADS NetScaler route table to redirect client traffic to Firewall ENI
-
Add few rules on firewall policy and verify if the rules are being hit
-
Result: Request is being dropped as per the policy configured
Traffic Flows:
Client Traffic:
-
User access the application URL : http/s://<FQDN>/
-
After DNS resolution, Client request lands on AWS Network firewall
-
From the firewall, user request is sent to internal NLB for Application Endpoint (Vserver) selection
-
Application request is sent to the Application Endpoint
-
After LB decision, request is forwarded to the EC2 instances and server response is sent back to the user
Server Traffic:
-
From NetScaler ASG traffic is load balanced across all the configured backend servers configured in the respective AZ.
-
This is a single VPC deployment, hence there are no inter VPC routing required for active traffic.
-
Return traffic goes via the AWS firewall to the client.
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now