Separating cloud environments with routing domains

Challenge

In modern cloud computing, securing and separating workloads and data is of paramount importance. Having many Virtual Private Clouds (VPCs) created and terminated even daily is unmanageable manually or using standard solutions. There are commercial products that can help with it, but at a high price. Fortunately, Amazon Web Services (AWS) has a few services that, with the help of cloud architects, can make it very simple to manage at scale using modern abstracts.

One effective way to enhance the security posture of cloud environments is by using routing domains. They enable organizations to segregate and control the flow of network traffic between various segments of their infrastructure. This article explores the concept of routing domains and demonstrates their use in enhancing security by separating development and production environments in AWS.

Understanding routing domains

Routing domains are logical groupings of network route tables within AWS Transit Gateway (TGW). Which acts as a central hub within a region, simplifying the network connectivity between multiple VPCs and on-premises networks. As it doesn’t require creating each-to-each peerings or any other hectic method to work with. Instead, a simple TGW VPC attachment for each VPC that can use even a single Transit Gateway is enough to implement many routing domains.

Worth empathizing that Transit Gateway acts as a router in a single AWS region. If an organization also uses VPCs in other regions it requires a Transit Gateway for each region to be peered with each other.

To further secure environments a set of Service Control Policies should also be in place to restrict AWS API operations between environments as well as restricting who can modify route tables and other networking settings, so they don’t get compromised.

Key benefits of routing domains

Enhanced Security: Routing domains offer a robust approach to enforcing network segmentation. By separating different parts of the infrastructure into isolated domains, one can control the flow of traffic between them. This isolation limits the attack surface and reduces the risk of unauthorized access or lateral movement within the network.

Simplified Network Management: Routing domains simplify network management by providing logical containers for route tables. This makes it easier to organize and maintain complex network topologies, especially in large-scale cloud environments.

Improved Compliance: Many compliance regulations mandate strict segregation of development and production environments. Routing domains provide a straightforward way to achieve this segregation while adhering to compliance requirements.

Using routing domains to separate development and production environments

Let’s explore how routing domains can be utilized to improve the security of cloud environments by isolating development and production workloads.

Segregation of network traffic: Assume an organization has four distinct VPCs — two for development and two for production. By attaching them in pairs to separate routing domains within the Transit Gateway, the organization ensures that the two environments remain isolated, and network traffic is not directly exchanged between them.

Controlled communication: In the development environment, there might be less restrictive security measures to facilitate agile development and testing. However, in the production environment, stringent access controls are essential to protect sensitive data and applications. With routing domains, the production environment can enforce tighter security policies while still allowing necessary communication. For example, allowing traffic only between selected VPCs from the same domain, not all of them.

Implementation of security layers: By using routing domains, an organization can implement security layers, such as firewalls, intrusion detection systems, or Network Access Control Lists (NACLs). Each routing domain can have its own set of security policies tailored to the specific needs of its environment.

Secure cross-account communication: In some scenarios, organizations may have multiple AWS accounts for different business units or departments. Routing domains enable secure communication between these accounts by using AWS Transit Gateway inter-region peering. Each account can even have multiple VPCs attached to separate routing domains, ensuring that traffic is isolated and controlled. The routing domain doesn’t have to correspond to the SDLC environment but can rely on the business domain or any other logical separation.

VPN: Routing domains can also utilize VPN connections. A separate VPN Client Endpoint for each domain can assure there is complete separation between engineers and environments. It’s also very easy to restrict access to each VPC for every engineer.

Exceptions: There might be a need of having a VPC with some common services for all routing domains (e.g. central logging, security audit, etc.). In such cases, VPC attachment can be used in several instances of routing domains allowing traffic between them.

Example route tables

Development routing domain

Production routing domain

Automation

Managing routing domains at scale manually is not possible. But it’s very easy to create, e.g. a Terraform module that can control them. It can be a part of Account Factory implementation. Automatically creating all needed route tables, NACLs, and VPC attachments in Transit Gateway for defined routing domains.

In this example setting the environment name as an input variable for an account can define what type of ingress and egress network traffic will be possible for it via the routing domain.

Conclusion

Routing domains play a crucial role in securing modern cloud environments by providing isolation and control over network traffic between different segments of the infrastructure. By separating development and production environments using routing domains, organizations can significantly reduce the risk of security breaches and maintain compliance with industry regulations. Implementing routing domains within AWS Transit Gateway or similar networking solutions empowers organizations to design robust and secure network architectures that align with their business requirements and security policies. As cloud adoption continues to grow, leveraging routing domains will remain a valuable strategy for enhancing the security posture of cloud environments.