Per-application policies are difficult to accomplish and even then very limited (discussed below), therefore, any relaxation of enforcement (so logs can be collected) puts the entire VPC in open mode Inspects raw packets for protocol-level anomalies and also conducts asynchronous, out-of-band DNS checks to verify client-presented domain names against layer 3 IP addresses in the connections By AWS' own admission, it does not conduct "out-of-band DNS lookups", so clients can present an allowed hostname in the headers while making the connection to any arbitrary IP address COMPARISON So, how does DiscrimiNAT compare to AWS Network Firewall then?
An article that covers the "idiosyncrasies" and "gotchas" as a result of this repurposing is Secure Internet Access (Egress Filtering) with AWS Network Firewall by Karl Maier.
0 kommentar(er)
