[Turbot On] Cleanup Unwanted Internet Gateways
Remove VPC resources that are not used in your network topology.
An Internet Gateway (IGW) attached to an Amazon VPC is a highly available network component that allows Internet connectivity from (or to) your VPC. However, for many Network topologies IGWs are either unnecessary or unwanted. For example, if you are routing all VPC traffic back to your on-premise network, having an IGW present may create risk of unapproved network egress or ingress.
Let’s look at how Turbot can help enforce the removal of unneeded IGWs across all of your internal facing workloads.
Outbound Internet Access
Many customers choose to implement a data center extension strategy in their networking topology. When you do so, you are faced with the choice of where to route outbound Internet access (OIA).
Internet Gateway: send outbound traffic from the VPC directly to the AWS Internet backbone. Pros: Speed / Low Latency. Cons: Difficult to monitor OIA.
Transit VPC: Send outbound traffic to a central VPC before egress to the Internet. Pros: Allows for OIA monitoring/filtering. Cons: Complexity of setup.
On Premise: Send all outbound traffic back to your on premise network and route out to the internet from there. Pros: leverages existing network infrastructure. Cons: Complexity, higher latency and possibly lower speed.
If your organization uses option 2 or 3 for your network topology you likely don’t need an IGW in the VPC for your application workloads. Discovery of all VPCs and removal of any associated IGW can be difficult, especially if you are dealing with dozens (or hundreds) of AWS accounts. Continuously monitoring all VPCs in all Regions in all Accounts to make sure new IGW are not created is also a task best tackled by automation.
Get it done with Turbot
With Turbot, you can use approved guardrails to identify if a resource is approved for use. Once something has been identified as not approved, Turbot has the ability to cleanup the resources with corrective controls, or alert you with detective controls. “Approved” type policies have defined sub-policies to calculate the “Approval” status based on conditions such as `regions`, `usage’, etc. One such criteria is the “usage” state sub-policy for AWS VPC Internet Gateways shown in the example below:
After setting these policies, Turbot automation will identify all current IGWs, and then handle remediation (delete, or disassociate and delete).
If you first want to evaluate what unapproved IGWs exist before taking a remediation action, then we suggest setting the value to `Check: Approved` at the Turbot level. Once Turbot identifies the unapproved IGWs an administrator can selectively apply the enforcement setting (e.g. to development and/or sandbox environments) to see how the corrective controls will work in practice.
Apply across more than just Internet Gateways… You can also apply this same logic to any other VPC components that are not appropriate for your network topology/rules.
Make it happen
See for yourself how easy it is to enforce IGW cleanup across all your VPCs. The policy examples in this article are available to download as Terraform template in the Turbot Development Kit (TDK). If you need assistance getting this configured please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!
nice article, but I do not agree! What is bad about an IGW? Can you tell me any event, occurance, any north-corean hacker attack exploiting the IGW in a VPC. I never heard anything about that. It's difficult. Probably you know how to introduce a post installation of some NAT service in a VPC or anything the like just by trespassing the IGW, which is not feasable anyway. You can savely build a reference architecture with the hybrid part (private routable network from your DC) workload subnets and public subnets even with an IGW attached. There is nothing harmful about that. A real pure hybrid-cloud does not need an IGW, but you will learn very quickly, that insufficient VPN hybrid cloud connections without any access to some Internet Proxy, will render the idea to forget about an IGW to rubble. As soon as you want to do patching or upgrading. How to access public Linux repos without Internet access, not to mention Windows. I wouldn't condemn the IGW. It's a good and useful component and it will be required sooner or later and it has nothing to do with a security flaw. No myth about IGWs please :-)