Skip to content

Latest commit

 

History

History
74 lines (59 loc) · 3.38 KB

File metadata and controls

74 lines (59 loc) · 3.38 KB

Generated by Merlin Studio (https://app.merlin-studio.cloud). Licensed under the Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0).

Network Topology

This landing zone uses a hub-and-spoke network built on AWS Transit Gateway: every VPC attaches to the regional Transit Gateway (RAM-shared from the Network account), so inter-VPC and warm-standby DR traffic flows through one managed hub instead of a mesh of peering connections.

Egress model: centralized inspection

All internet-bound traffic is inspected at a single, audited boundary (the AWS Security Reference Architecture inspection VPC pattern):

spoke VPC ─► Transit Gateway ─► inspection VPC (inspection)
                                   │
                                   ├─ AWS Network Firewall  (inspection-nfw)
                                   ├─ NAT gateway (per AZ)
                                   └─ Internet gateway ─► internet
  • Spokes have no local internet. Each spoke's default route (0.0.0.0/0) points at the Transit Gateway; they have no NAT/IGW of their own, so nothing can bypass inspection.
  • Appliance mode on the inspection VPC's TGW attachment keeps each flow pinned to one Availability Zone's firewall endpoint, so the stateful firewall sees both directions of every connection.
  • Per-AZ data plane: TGW subnet ─► firewall endpoint ─► NAT ─► IGW, with return traffic for spoke CIDRs routed back through the same AZ's firewall endpoint.

Transit Gateway route domains (segmentation)

  • main-tgw-inspection — inspection domain
  • main-tgw-spokes — spokes domain
  • main-tgw-cde — cde domain

Spokes associate to their domain and propagate their CIDRs into the inspection domain; a static 0.0.0.0/0 in each spoke domain points at the inspection VPC attachment.

Regulated workloads: the CDE (and PHI) spokes are isolated in their own route domain — they never share a routing table with non-CDE workloads (PCI-DSS Req 1.2 / 1.3 segmentation), yet their egress is still inspected.

AWS Network Firewall

  • Policy: inspection-nfw-policy (rule order: STRICT_ORDER).
  • Default stateful actions: aws:drop_established, aws:alert_established.
  • AWS-managed stateful rule groups:
    • AWSManagedRulesBotNetCommandAndControlDomainsStrictOrder
    • AWSManagedRulesMalwareDomainsStrictOrder
    • AWSManagedRulesAbusedLegitMalwareDomainsStrictOrder
  • Flow + alert logging to CloudWatch in the inspection account.

The OpenTofu, CDK, and tfvars formats attach the AWS-managed rule groups by ARN. The Landing Zone Accelerator authors equivalent stateful rules in firewall-rules/rules.txt (LZA does not reference managed-group ARNs the same way) — extend it with your organization's egress policy.

Why centralized here

Centralized inspection is the default for the advanced profile and is applied whenever a boundary-control framework (PCI-DSS, FedRAMP, NIST 800-53, EUCS) is in scope — those frameworks require a controlled, inspected egress boundary (PCI-DSS Req 1 network security controls, NIST/FedRAMP SC-7). It is a deliberate tradeoff: a uniform audited boundary in exchange for the NAT + firewall-endpoint cost and an extra network hop.


Generated from the topology source of truth (generators/aws_network_topology.py); every IaC format in this bundle renders the same topology.