Multi-Cluster Security with Network Firewall: Consistent Protection for Distributed EKS

Transcript

1. © 2024, Amazon Web Services, Inc. or its affiliates. All

   rights reserved.

2. © 2024, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Multi-Cluster Security with Network Firewall: Consistent Protection for Distributed EKS Ananda Dwi Rahmawati She/Her Cloud Engineer Activate Interactive Pte Ltd AWS Container Hero

3. © 2024, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Key Takeaways • Understand the challenges of standalone Kubernetes cluster and why we need multi-cluster Kubernetes on Amazon EKS • Explore the challenges of securing multi-cluster Amazon EKS • Learn how network firewalls can provide consistent protection across multi-cluster Amazon EKS.

4. © 2024, Amazon Web Services, Inc. or its affiliates. All

   rights reserved.

5. © 2024, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Today’s Agenda Key Takeaways AWS Network Firewall Challenges of Standalone Kubernetes Cluster Demo Multi-Cluster Kubernetes using Amazon EKS References Challenges of Securing Multi-Cluster Amazon EKS

6. © 2024, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Challenges of Standalone Kubernetes Cluster

7. © 2024, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Challenges of Standalone Kubernetes Cluster • Scalability and Flexibility • Availability and Resource Utilization • Workload Isolation • Security and Compliance

8. © 2024, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. “Multiple clusters to address state management, availability and scalability, security and privacy, and compliance for data sovereignty requirements”

9. © 2024, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Multi-Cluster Kubernetes using Amazon EKS

10. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Centralized management Improved scalability Flexibility across environments Enhanced resilience Isolation and fault tolerance And more! An approach for managing multiple Kubernetes clusters within the Amazon Web Services (AWS) ecosystem. Multi-Cluster Amazon EKS – a Brief Summary

11. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Challenges of Securing Multi-Cluster Amazon EKS

12. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Challenges of Securing Multi-Cluster Amazon EKS Complexity Managing security policies for each EKS cluster separately can lead to inconsistencies. Increased Management Overhead Manually handling security policies across clusters can be time- consuming and prone to errors. Limited Visibility Monitoring network traffic across distributed clusters is difficult, hindering threat detection and response. Inconsistent Enforcement It can be hard to consistently apply security policies across multiple clusters without a central approach.

13. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Network Firewall

14. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. A stateful, managed firewall and intrusion detection and prevention (IDS/IPS) service Filters incoming and outgoing traffic at the VPC perimeter Offers granular control with custom security policies Integrates with AWS Firewall Manager for centralized policy management AWS Network Firewall

15. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Distributed Centralized Combined East-West: VPC to VPC traffic flow Not supported North-South: VPC to Internet traffic flow North-South: VPC to on- prem via VPN or DX traffic flow Not Supported Prerequisites AWS Network Firewall subnet Inspection VPC and AWS Transit Gateway AWS Network Firewall subnets in each protected VPC; Inspection VPC and AWS Transit Gateway AWS Network Firewall – Deployment Models

16. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Distributed Centralized Combined Centralized management Through AWS Firewall Manager Through a single instance of AWS Network Firewall Through AWS Firewall Manager Source IP visibility Configuration dependent Yes Configuration dependent Misconfiguration risk and potential blast radius Lowest Medium Low Cost Per AWS Network Firewall endpoint Per AWS Transit Gateway attachments & AWS Network Firewall endpoints; AWS Transit Gateway data processing Per AWS Transit Gateway attachments & AWS Network Firewall endpoints (including any additional endpoints per protected VPC); AWS Transit Gateway data processing AWS Network Firewall – Deployment Models

17. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Network Firewall – Security Approach Kubernetes Network Policies (NPs) • Enforced at the pod level within a Kubernetes cluster. • Offer fine-grained control over intra-cluster network traffic. • Ideal for defining communication rules between pods based on labels, namespaces, ports, and IP addresses. • Well-suited for security within the cluster boundaries. AWS Network Firewall (NFW) • Managed firewall service that filters network traffic at the VPC level. • Provides broader security capabilities for all traffic entering or leaving a VPC. • Can restrict traffic flow to and from your EKS cluster, including external access. • Excels at securing inbound and outbound traffic for the entire cluster.

18. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Network Firewall – Implementations Filter outbound HTTPS traffic from your EKS worker nodes. Domain name filtering Application Protocol Detection Inter-Subnet Traffic Inspection Allow rules based on hostnames identified through Server Name Indication (SNI).

19. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Demo

20. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. https://bit.ly/nfw-eks-demo24

21. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. References

22. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. References • https://aws.amazon.com/blogs/containers/life360s-journey-to-a-multi-cluster-amazon-eks-architecture- to-improve-resiliency/ • https://repost.aws/it/questions/QUT6l_QH08TZa1s-p5TVi8Mw/eks-multi-cluster-strategy • https://aws.amazon.com/blogs/apn/building-a-multi-tenant-saas-solution-using-amazon-eks/ • https://aws.amazon.com/blogs/containers/multi-tenant-design-considerations-for-amazon-eks-clusters/ • https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/ • https://aws.amazon.com/blogs/security/tls-inspection-configuration-for-encrypted-egress-traffic-and- aws-network-firewall/ • https://aws.amazon.com/blogs/security/use-aws-network-firewall-to-filter-outbound-https-traffic-from- applications-hosted-on-amazon-eks/

23. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Build beyond skillbuilder.aws Redeem your free 7-day trial of AWS Skill Builder

24. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Thank you for attending AWS Summit Singapore 2024. Please complete the session survey to help us improve your Summit experience in the future. [email protected] twitter.com/AWSCloudSEAsia linkedin.com/company/amazon-web-services facebook.com/AmazonWebServices instagram.com/amazonwebservices youtube.com/user/AmazonWebServices twitch.tv/aws

25. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Thank you! Please complete the session survey in the mobile app Ananda Dwi Rahmawati [email protected] twitter.com/misskecupbung linkedin.com/in/anandadwir faceebook.com/misskecupbung