Controlled internet access is critical for SAP workloads in AWS to ensure security, compliance, and reliability. This design uses Palo Alto VM-Series firewalls for centralized inspection of all north-south traffic while allowing private SAP applications and databases to remain isolated from direct internet exposure.
Key benefits:
Public Subnets: NAT Gateways, Bastion Hosts, Internet-facing services.
Private Subnets: SAP Applications, SAP HANA DB – no direct internet access.
Firewalls: Palo Alto VM-Series deployed in HA pair across AZs.
- Centralized traffic inspection for inbound and outbound flows.
- High availability across multiple AZs.
- Controlled access to SAP services, updates, and external integrations.
- Ensure secure and compliant internet access for SAP workloads and AWS resources by:
- Restricting direct internet access from private subnets.
- Routing all traffic through highly available Palo Alto firewalls.
- Controlling outbound and inbound traffic with fine-grained firewall rules.
Public Subnets: NAT Gateways, Bastion Hosts, Internet-facing services.
Private Subnets: SAP Applications, SAP HANA DB – no direct internet access.
Firewalls: Palo Alto VM-Series deployed in HA pair across AZs.
Routing:
- Private/public subnet traffic → Palo Alto Firewall → Internet Gateway (IGW).
- Ensures all traffic is inspected for compliance and security.
Step 1: Deploy Internet Gateway (IGW)
Navigate to VPC → Internet Gateways → Create IGW.
Attach IGW to each VPC (per account).
Public subnets route 0.0.0.0/0 → IGW.
Step 2: Deploy Palo Alto Firewalls
Launch Palo Alto VM-Series in public subnets across AZs for HA.
Assign Elastic IPs (EIPs) for external access.
Configure firewall rules:
Deploy NAT Gateways in public subnets behind firewalls.
Update private subnet route tables:
Public Subnets: route via firewall → IGW.
Private Subnets: route via NAT Gateway → firewall → IGW.
Launch Palo Alto VM-Series in public subnets across AZs for HA.
Assign Elastic IPs (EIPs) for external access.
Configure firewall rules:
- Outbound: allow required protocols (HTTP, HTTPS, SAP ports).
- Inbound: restrict access to Bastion Hosts, NAT, and specific services.
Deploy NAT Gateways in public subnets behind firewalls.
Update private subnet route tables:
- Destination:
0.0.0.0/0→ Target: NAT Gateway - NAT forwards traffic through firewalls before reaching IGW.
Public Subnets: route via firewall → IGW.
Private Subnets: route via NAT Gateway → firewall → IGW.
Step 5: Monitoring
Diagram Notes:
- Enable CloudWatch logs and firewall logging for all traffic.
- Monitor egress/ingress patterns to detect anomalies.
Diagram Notes:
- All private subnet traffic passes through NAT → Firewall → IGW.
- Public subnet traffic (bastion hosts, ALBs) also passes through firewall.
- Firewalls provide north-south traffic inspection and ensure compliance.
- Centralized firewall ensures security inspection for all inbound and outbound traffic.
- Supports SAP patch downloads, updates, and external integrations securely.
- HA firewalls across AZs provide resilient internet access for production workloads.
- Monitoring via CloudWatch and firewall logs enables early detection of anomalies.
No comments:
Post a Comment