Proposal – NG Egress Traffic Proxy for AWS Environments
1. December 2014

Running in a cloud always means some changes in mind in comarison to a static datacenter environment. Especially if you think about security and m2m trusts. Amazon AWS has some great features like IAM Roles to handle this in a cloud-native fashion, unfortunately only available for AWS services. In my opinion it is a damn good idea to control not only incoming traffic but also outgoing to prevent bad guys from fetching bad things or using your instances as DDOS/ Spam sources f.e. Amazon recommends so called NAT-Instances for Egress traffic in VPC environments, preconfigured AMIs for Linux instances doing NAT between your VPC backend LAN and the internet. Since you operate on layer 3 in this kind of setup and scaling or fault tolerance can get a big problem, I believe that a horizontally scaling proxy setup is the best solution so far. A nice on top feature would be to control which type of instances is allowed to connect to which URL to have a real advantage in security and usability (handling IP addresses is a no go!). I did a POC using AWS DynamoDB as a persistence backend for ACL’s and the AWS EC2 API to figure out instance metadata for the source IP of a request. This worked really well with Squid3  (Version >= 3.5, supporting Proxy Protocol!) and it’s external_acl_helper feature.




Details will follow…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.