As the On-Premises to Cloud migration trend continues, more and more organizations are moving their applications to the cloud. When contemplating a shift to the cloud, one of the questions that comes from the on-premises security team is how compliance for outbound internet traffic will be monitored for the cloud-based virtual machines (VMs). In an on-premises datacenter, this is typically achieved by using a forward proxy server. All internet-bound traffic from the application servers is forwarded to a dedicated forward proxy server first, and then out to the internet. The forward proxy server sends all relevant metadata (such as source and destination IP/Port, user ID, etc.) to a compliant system. This same compliance strategy can also be utilized and enforced on the end user’s internet access via AWS as well.

What is a forward proxy and why we need it

Most workload VMs and end-users need to access the internet securely at some point. There are three main ways to access the internet (outbound):

  1. A public IP address assigned to a workload/user
  2. Network address translation (NAT) – dynamic or static
  3. A forward proxy server 

A proxy server reduces the chance of a breach and adds a layer of security between the internal corporate/datacenter users/servers and external internet traffic. Proxy servers act as a buffer to relay the request from the internal source to the destination hosts which helps to mask the inside user’s identity. The main reasons why a corporate network would use a proxy server:

  • Improve inside user’s security
  • Privacy
  • Internet redundancy / high availability
  • Monitoring, Policing and Compliance of internal user’s internet usage
  • Web cache for faster internet speed

How an on-premise forward proxy server works

There are two types of forward proxy server deployments (Fig. 1) – a transparent proxy server, and an explicit proxy server. When transparent proxy is enabled, the client (browser) does not know the traffic is being processed by a proxy other than the origin server. The proxy service is configured to intercept traffic for a specified port, or for all IP addresses on that port. In an explicit proxy configuration, the client (browser) is explicitly configured to use a proxy server, meaning the browser knows that all requests will go through a proxy. In most corporate environments, the explicit proxy configuration on end-users’ devices is usually automated via Windows Active Directory (AD) Group Policy and a proxy-PAC file.  

 

Fig.1 – Forward proxy architecture

 

Fig.2 shows the proxy server acting as a go-between - submitting browser requests to the external web servers on behalf of the internal browser. The requests are translated from browser host IP address to the Proxy server’s IP address. The identifying information of internal users is removed from the request headers and it is an actual break in the flow of communications

Fig.2 – Forward proxy end to end traffic flow example (https)

Forward proxy server options in AWS cloud

With AWS, we can use these same concepts, but also expand our options by taking advantage of native AWS services and resources:

  1. Use a third-party appliance available for easy provisioning on the AWS marketplace (Preferred)
  2. Re-use existing on-premises Proxy server – enable forced tunneling or custom routing to take all traffic through the on-premises environment
  3. Use other cloud provider vendors such as Zscaler, or similar vendors where we can take traffic via an encrypted IPSEC tunnel and the Security Cloud provider cleans the outbound internet traffic

A common best practice in AWS is to use multiple accounts within AWS organizations for better management and governance of the AWS environment. This structure allows even more capabilities for enforcing custom rules or service control policies to relevant accounts within the organization, and can work in conjunction with a Forward Proxy implementation. All while maintaining a simplified management and configuration experience.

Proxy server outbound traffic flow

The proxy server monitors and protects users’ outbound traffic to minimize the risk of malware and malicious activities Therefore a deployment of a proxy server within AWS tenancy provides content and URL filtering to meet the enterprise security compliance. 

Fig.3 – AWS Proxy server and account example


Fig.3 Diagram shows an AWS Transit Gateway acting as “router-on-a-stick” for a firewall and a proxy (in this example, a third party appliance) using a public facing network account. In contrast, two other accounts in different VPC’s leverage the Transit Gateway for outbound internet access via proxy server. A custom routing table is used so that any outbound internet traffic originated in accounts must transit through the firewall and proxy before it goes to the internet.

 

Working in the AWS cloud has significant advantages and can make implementation and enforcement of compliance requirements much easier in the cloud environment, all while maintaining the same security posture as an on-premises datacenter.

Questions?

Ingram Micro Cloud offers expertise in AWS cloud security traffic analysis and security best practices including monitoring and on-going support. Ingram Micro’s Professional Services team can help in planning, assessment, implementation and go-live support for customers to meet the best possible security standards and fulfill compliance requirements. Ask your local cloud rep to learn more or email us at AWS@ingrammicro.com.