A company is migrating critical applications to AWS. The company has multiple accounts and VPCs that are connected by a transit gateway.
A network engineer must design a solution that performs deep packet inspection for any traffic that leaves a VPC network boundary. All inspected traffic and the actions that are taken on the traffic must be logged in a central log account.
Which solution will meet these requirements with the LEAST administrative overhead?
Creating a central network VPC with an attachment to the transit gateway and deploying an AWS Gateway Load Balancer (GWLB) that is backed by third-party, next-generation firewall appliances will fulfill the requirements with the least administrative overhead. The GWLB facilitates deep packet inspection and is designed for handling such tasks efficiently. Additionally, configuring the firewall appliances to log network flows to an Amazon S3 bucket in the central log account centralizes log management, simplifying oversight and maintenance. This solution ensures that deep packet inspection is performed and that traffic actions are logged centrally, meeting the company's needs with minimal complexity.
A is correct as sambb said. GWLB is perfect for traffic inspection
https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/
D - https://aws.amazon.com/blogs/networking-and-content-delivery/using-vpc-traffic-mirroring-to-monitor-and-secure-your-aws-infrastructure/
Agreed, deep traffic inspection and mirroring go like jelly and peanut butter
It's A just because of D is saying: "For each network interface, create a VPC Traffic Mirroring session that sends the traffic to the central VPC's NLB. " Mirroring each interface in "multiple accounts and VPCs" is definitly NOT the " LEAST administrative overhead".
For sure A. It cannot be D because it is saying "All inspected traffic and the actions that are taken on the traffic must be logged in a central log account." Since we are talking about mirroring there is no ACTION that can be taken on the traffic since is not INLINE but a mirror.
My understanding in scenarios like this is that traffic should be inspected BEFORE the packets are allowed to leave VPC boundaries. If this understanding is true, traffic MIRRORING (option D) is the wrong approach as the decision to let the packet pass or drop would be done independently.
A & B GLB/ALB with FW: These options require additional configuration and policy mgmt for the FW in the central VPC, complex and time-consuming to maintain across multiple VPCs. Answer is D - no changes req on TGW config
I do not see any word "mirroring" in the question. If you route traffic through GWLB you dont need mirroring at all. Also D offers to store Logs in different VPC than Central where Firewall is deployed. It does not make sense and incur additional complication.
A is the correct answer. do not get confused between mirroring and inspection
NFGW is also a router, it drops packets when there is no route entry on its routing table, IDS will accept the packets arriving at its interface no matter what the src/dst is.
Again, people still get it wrong as to what is a valid mirror target. GWLB Endpoint is a valid mirror target, but not the GWLB itself. Ref: https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-targets.html Also, the question provides a good hint on which is the appropriate answer, "All inspected traffic... must be logged in a central log account". All the best.
Nowhere in the question is a mirror target mentioned
It's A. D does not mention where the traffic is logged
D asks for creating a mirroring session for each ENI, this is operationally inefficient. A provides a solution that monitors all IP traffic that reaches the transit gateway.
No need for create mirroring session for each ENI , just create it on TGW ENI in each VPC