Content management error: Header Banners should not be placed in the Navigation placeholder!
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
An electrical energy retailer has started a migration into AWS for its VM based business applications, with Modis helping prepare solid, evidence-based business cases and run adoption workshops for the customer since mid-2020.
However, as they commenced this, they wanted to integrate some of their existing security services.
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
As part of its on-premises architecture, the Modis customer uses the Cisco Umbrella DNS resolver and proxy service as part of its protection of outbound requests. This service uses a Cisco-provided recursive DNS resolver which identifies the client systems by the origin source IP addresses in use. The service permits the administrator to classify the target sites being resolved, so to being allow-listed, block-listed, or matching certain categories.
The DNS result returns a different result based upon the target site being safe, unsafe, or somewhere in between:
This Cisco proxy permits clients to connect, make their request, and then scans the response before providing it back to the client system.
This HTTPS request interception requires the client system to have the Cisco Umbrella Root CA as a Trusted Certificate Authority, as the Cisco service will generate a matching certificate on-the-fly for those sites deemed in the ‘questionable’ range.
The Modis customer wanted to leverage this protection, but also not make other cloud-based services such as AWS Guard Duty blind to the query traffic being used, and not remove the effectiveness of AWS VPC Endpoints to resolve correctly in each AWS VPC.
The customer turned to the Modis AWS Practice in December 2020 to implement a solution…
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
This situation is suitable for Route 53 Outbound Resolver configurations; the templated solution created a pair of outbound Resolver Endpoint interfaces in a pair of private subnets (each in different Availability Zones), with access to the Internet via a NAT gateway. These NAT gateways have static IP addresses, registered with the Cisco Umbrella service.
A Route 53 Resolver Rule was defined to forward queries to the supplied IPv4 addresses for the Cisco recursive DNS resolvers. This Resolver Rule was then shared using AWS Resource Access Manager to various AWS accounts, which in turn then bound the rule to the required VPCs.
DHCP options within the VPC can be left as pointing at the AmazonProvidedResolver, and VPC Security Groups can remain closed for TCP and UDP port 53. This also prevents any other DNS Resolver being used directly, a technique which is often used by compromised hosts trying to find their command-and-control services.
Modis researched and architected the solution, authored the CloudFormation Template to apply this change, and deployed the templates to the customer environments to affect the change.
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
With this solution in place, the DNS protection of the fleet is visible via the Cisco Umbrellas service (however without the visibility of which instance made the request).
The VPC environment is also further protected from alternate DNS providers being used. DNS results are cached by the VPC-provided resolver, and multiple VPCs do not require VPC Peering or Transit Gateway connectivity between VPCs or Instances for this solution to work.
Furthermore, there are zero customer-managed DNS recursive resolvers deployed that would require maintenance and upgrades over time, further making the service cost effective, scalable, and reliable.
As at April 2021, Modis continues to assist this customer on its journey to the AWS Cloud, helping port serverless application, and migrate traditional workloads into the EC2 environment.
At Modis we connect people, technology and businesses to the opportunities they need to thrive in a rapidly advancing world. With 1,300+ technology professionals across six locations (Sydney, Melbourne, Brisbane, Adelaide, Canberra and Perth), we work with our clients to deliver solutions and talent to transform technology portfolios, streamline business functions, drive innovation or enhance organisational capability. https://aws.modis.com
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!
The Western Australian Government land information authority, Landgate, needed to implement a low-cost scalable solution for property reporting to pro...
In late 2019, a multi-national enterprise asked Modis to review its AWS Cloud operations. Having started their AWS Cloud journey in early 2018 and app...
Landgate needed to migrate to the cloud its Topo application used by Landgate Topographic and Geospatial teams for maintenance and dissemination of We...
Organisations are looking to detach themselves of their costly on-premise data centres, not just moving applications, but all aspects of software life...
Content management error: Generic Content Banners should not be placed in the Navigation placeholder!