![Guest](http://content.invisioncic.com/m329563/set_resources_3/84c1e40ea0e759e3f1505eb1788ddf3c_default_photo.png)
CADS service with its premium entitlement has features like WAF and BOT to secure and protect your application from security threats. This guide will help you to deploy AWS firewall with CADS service. This is recommended if you have a CADS service Advance entitlement.
Requirements
Deploy a data center and create NetScaler infrastructure on AWS cloud. Configure network settings in this public cloud data center with AWS firewall in a way that is completely transparent to the application users.
Following are the key requirements:
Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC.
All end user, Nerscaler management, traffic should route through AWS network firewall.
Pre-Requisites
Following tasks are expected to be completed for using this solution and successful integration.
CADS Service Application delivery configuration
AWS console access with permission to configure AWS Network Firewall and network routes
Architecture
For the distributed deployment model, we deploy AWS Network Firewall into each VPC which requires protection. Each VPC is protected individually. Each VPC does not require connectivity to any other VPC or AWS Transit Gateway. Each AWS Network Firewall can have its own firewall policy or share a policy through common rule groups (reusable collections of rules) across multiple firewalls. This allows each AWS Network Firewall to be managed independently, which reduces the possibility of misconfiguration and limits the scope of impact.
Figure 1: AWS Network Firewall Distributed deployment in each protected VPC
Depending on the workload and traffic pattern, there are a number of AWS Network Firewall deployment models to consider. In the following section we will see a deployment model to protect traffic between NetScaler’s client subnet and IGW.
Figure2. AWS Network Firewall is deployed to inspect traffic between the internet and NetScaler/NAT gateway
Component
Location
Remarks
ADS service control plane
Citrix Cloud / PoP
Deployed in secure Citrix owned PoP network outside of customer VPC
ADS Service Agent
VPC-n AZ-n
For communication with NetScaler Service control plane
Autoscaling NetScaler
VPC-n AZ-n
NetScaler data plane
VPC Connectivity
Via AWS Firewall
Users
Via AWS Firewall
NATted External application users
Back end server group
AZ-n
Group of EC2 Instances forming Autonomous System (AS)
Configuration:
Create an AWS Firewall and share Firewall endpoint ENI (in this example: vpce-0aa4d4642c13726dc)
Point the ADS NetScaler route table to redirect client traffic to Firewall ENI
Add few rules on firewall policy and verify if the rules are being hit
Result: Request is being dropped as per the policy configured
Traffic Flows:
Client Traffic:
User access the application URL : http/s://<FQDN>/
After DNS resolution, Client request lands on AWS Network firewall
From the firewall, user request is sent to internal NLB for Application Endpoint (Vserver) selection
Application request is sent to the Application Endpoint
After LB decision, request is forwarded to the EC2 instances and server response is sent back to the user
Server Traffic:
From NetScaler ASG traffic is load balanced across all the configured backend servers configured in the respective AZ.
This is a single VPC deployment, hence there are no inter VPC routing required for active traffic.
Return traffic goes via the AWS firewall to the client.
- Read more...
- 0 comments
- 256 views