I'm new to AWS using a FortiGate in front as the gateway. Would you need to utilize the security groups, or could I make one to permit all traffic and attach it since the fortigate handles everything.
Asked
Active
Viewed 69 times
1 Answers
0
Every ENI (Elastic Network Interface) in AWS has a security group. You can make the security group wide open if you want to, but I would suggest you only allow in the traffic you want. For example you might whitelist http and https for anywhere, ssh from specific IPs, etc.
You can also use Network Access Control Lists (NACLs) which are subnet based to whitelist based on port. The advantage there is if you come under DDOS AWS can push the NACLs out to the network edge, but that might only be if you use AWS Shield Advanced.
In AWS you tend to try to use services rather than servers. Do you really need a Fortigate? There are valid use cases, for example compliance with corporate policies. Consider AWS Network Firewall as an alternative.
Tim
- 31,888
- 7
- 52
- 78
-
Tim, thanks for the reply. Currently, we are looking to migrate a multitenancy application from on prem to aws to take advantage of things like RDS. We have a FortiGate in front of all our servers now, and will move our app servers to EC2 instances connecting to RDS. Going back and forth with our sys admin who says the fortigate is enough and we could leave a permit all. Where I'm on the fence and doing research thinking both? – SGNjH Feb 10 '23 at 01:44
-
Appliances in the cloud is an antipattern unless there's a _very_ good reason to have it there. People with legacy skills initially want those old on-premise appliances, but they're rarely needed in AWS. Security groups and optionally NACLs are good for most circumstances. If you need more control you can use AWS Network Firewall or AWS WAF v2. You might be best off getting professional help from someone experienced with AWS, rather than someone experienced with the old way of doing things. – Tim Feb 10 '23 at 02:15
-
Thanks for the input! This gives me things to think about. The main concern was that it was sensitive data, and so adding the FortiGate gave another layer like the AWS Network Firewall or WAF. My rebuttal was to include both, if necessary due to the nature of the information - a defense in depth approach. Further concern was any potential issues arising by not utilizing Security Groups correctly and scalability, or the transfer to different services as the application advances. – SGNjH Feb 10 '23 at 03:46
-
Defense in depth is good practice. Security groups, NACLs, AWS WAF v2, Guard Duty, AWS Inspector, and maybe AWS Network Firewall will probably be more than sufficient. – Tim Feb 10 '23 at 04:21