An Internet Gateway (IGW) attached to an Amazon VPC is a highly available network component that allows Internet connectivity from (or to) your VPC. However, for many Network topologies IGWs are either unnecessary or unwanted. For example, if you are routing all VPC traffic back to your on-premise network, having an IGW present may create risk of unapproved network egress or ingress.

Let’s look at how Turbot can help enforce the removal of unneeded IGWs across all of your internal facing workloads.

Outbound Internet Access

Many customers choose to implement a data center extension strategy in their networking topology. When you do so, you are faced with the choice of where to route outbound Internet access (OIA).

1. Internet Gateway: send outbound traffic from the VPC directly to the AWS Internet backbone. Pros: Speed / Low Latency. Cons: Difficult to monitor OIA.

2. Transit VPC: Send outbound traffic to a central VPC before egress to the Internet. Pros: Allows for OIA monitoring/filtering. Cons: Complexity of setup.

3. On Premise: Send all outbound traffic back to your on premise network and route out to the internet from there. Pros: leverages existing network infrastructure. Cons: Complexity, higher latency and possibly lower speed.

If your organization uses option 2 or 3 for your network topology you likely don’t need an IGW in the VPC for your application workloads. Discovery of all VPCs and removal of any associated IGW can be difficult, especially if you are dealing with dozens (or hundreds) of AWS accounts. Continuously monitoring all VPCs in all Regions in all Accounts to make sure new IGW are not created is also a task best tackled by automation.

Get it done with Turbot

With Turbot, you can use approved guardrails to identify if a resource is approved for use. Once something has been identified as not approved, Turbot has the ability to cleanup the resources with corrective controls, or alert you with detective controls. “Approved” type policies have defined sub-policies to calculate the “Approval” status based on conditions such as `regions`, `usage’, etc. One such criteria is the “usage” state sub-policy for AWS VPC Internet Gateways shown in the example below:

After setting these policies, Turbot automation will identify all current IGWs, and then handle remediation (delete, or disassociate and delete).

If you first want to evaluate what unapproved IGWs exist before taking a remediation action, then we suggest setting the value to `Check: Approved` at the Turbot level. Once Turbot identifies the unapproved IGWs an administrator can selectively apply the enforcement setting (e.g. to development and/or sandbox environments) to see how the corrective controls will work in practice.

Apply across more than just Internet Gateways…  You can also apply this same logic to any other VPC components that are not appropriate for your network topology/rules.

Make it happen

See for yourself how easy it is to enforce IGW cleanup across all your VPCs. The policy examples in this article are available to download as Terraform template in the Turbot Development Kit (TDK). If you need assistance getting this configured please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!

Cheers,

Bob