Transit FireNet Security Groups
On a firewall LAN interface, there are two interfaces: eth2 on PAN; or eth1 on FortiGate and Check Point. This interface accepts all data traffic to be inspected or that is going to the Internet (if egress is enabled). The traffic originates from an internal instance, which has a destination of another internal instance or the Internet. Therefore, it is fine to limit this SG to RFC1918 only. But if there are non-RFC1918 CIDR’s inside your network, those may not work.
On a FireNet gateway, there are four interfaces:
-
Eth0: this interface is used for all Internet traffic (DNS, NTP, etc.), communication with Aviatrix CoPilot (TCP, SSH, etc), encrypted tunnels, etc. This interface is controlled by Aviatrix CoPilot, and its security group is already limited to the minimum and should not be changed. Aviatrix CoPilot will always try to change it back to the default.
-
Eth1: this interface is used to send/receive traffic to AWS TGW. It accepts data traffic from TGW, so it is fine to limit the security group to RFC1918 only.
-
Eth2: this interface is used to send/receive traffic to firewalls (through the firewall’s LAN interface), so it expects traffic that originates from both internal and external. It might be fine to limit to RFC1918 since the AWS security group is stateful.
-
Eth3: this interface is used to exchange traffic between the primary and backup gateway; this is part of the Aviatrix uniform hashing algorithm. Like eth2, it expects traffic originating from both internal and external. It might be fine to limit to RFC1918, since the AWS security group is stateful.