Inspection VPC Architecture

The SANS SEC549 course materials are built around the fictional company, Delos International Management and its phased journey to the cloud. In course labs, students play the role of Delos Security Architects, tasked with helping them navigate their transformation into a cloud-first organization.

Delos International Management is rebuilding their network architecture to manage traffic flow throughout the enterprise. The Inspection VPC uses a hub and spoke network architecture with the AWS Transit Gateway (TGW). Inbound traffic is centralized in a single VPC hosting all Delos public IP addresses and internet gateways. The AWS Transit Gateway (TGW) inspection route table ensures all inbound, outbound, and east/west traffic is sent to an AWS Gateway Load Balancer service and through a firewall appliance. Allowed traffic is traffic is routed through the hub and spoke network to a backend service. Outbound traffic is also centralized into a single VPC hosting NAT Gateways. The firewall appliance inspects outbound traffic and restricts communications to allowed fully qualified domain name (FQDN) names.

This cheat sheet was developed by Eric Johnson to support SEC549: Cloud Security Architecture.

August 8, 2023
Cheat Sheet Inspection VPC