An Internet Gateway (IGW) attached to an Amazon VPC is a highly available network component that allows Internet connectivity from (or to) your VPC. However, for many Network topologies IGWs are either unnecessary or unwanted. For example, if you are routing all VPC traffic back to your on-premise network, having an IGW present may create risk of unapproved network egress or ingress.
This post looks at how Turbot Guardrails can help enforce the removal of unneeded IGWs across all of your internal facing workloads.
Outbound Internet Access
Many customers choose to implement a data center extension strategy in their networking topology. When you do so, you are faced with the choice of where to route outbound Internet access (OIA).
Internet Gateway: send outbound traffic from the VPC directly to the AWS Internet backbone. Pros: Speed / Low Latency. Cons: Difficult to monitor OIA.
Transit VPC: Send outbound traffic to a central VPC before egress to the Internet. Pros: Allows for OIA monitoring/filtering. Cons: Complexity of setup.
On Premise: Send all outbound traffic back to your on premise network and route out to the internet from there. Pros: leverages existing network infrastructure. Cons: Complexity, higher latency and possibly lower speed.
If your organization uses option 2 or 3 for your network topology you likely don’t need an IGW in the VPC for your application workloads. Discovery of all VPCs and removal of any associated IGW can be difficult, especially if you are dealing with dozens (or hundreds) of AWS accounts. Continuously monitoring all VPCs in all Regions in all Accounts to make sure new IGW are not created is also a task best tackled by automation.
Get it done with Turbot Guardrails
With Turbot Guardrails, you can use approved guardrails to identify if a resource is approved for use. Once something has been identified as not approved, Turbot Guardrails has the ability to cleanup the resources with corrective controls, or alert you with detective controls. “Approved” type policies have defined sub-policies to calculate the “Approval” status based on conditions such as
regions, `usage’, etc. One such criteria is the “usage” state sub-policy for AWS VPC Internet Gateways shown in the example below:
After setting these policies, Turbot Guardrails automation will identify all current IGWs, and then handle remediation (delete, or disassociate and delete).
If you first want to evaluate what unapproved IGWs exist before taking a remediation action, then we suggest setting the value to
Check: Approved at the Turbot level. Once Turbot Guardrails identifies the unapproved IGWs an administrator can selectively apply the enforcement setting (e.g. to development and/or sandbox environments) to see how the corrective controls will work in practice.
Apply across more than just Internet Gateways… You can also apply this same logic to any other VPC components that are not appropriate for your network topology/rules.
Make it happen!
See for yourself how easy it is to enforce IGW cleanup across all your VPCs. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!