QMCLOUD
  • What is QMCLOUD
  • Overview
    • Component Details
    • Security and RBAC
    • Dependencies
  • Architecture
  • Main features
  • Installation and Configuration
    • QMCLOUD SaaS
      • SaaS Registration
    • AWS Marketplace
    • Self-hosting
  • User Interface and Navigation
    • Main menu
    • Dashboard
    • General action buttons
    • Stack and Canvas
    • Stack Details
  • Getting started
    • Pre-requisites
    • Login to QMCLOUD
    • Create organization
    • Add Role
    • Add User
    • Add Components
    • Add Stack Profile
    • Add Workspace
    • Add Stack
    • Compose Infrastructure Using the Canvas
    • Add AWS Vpc
    • Add Subnets
    • Connect VPC and Subnets
    • Save Canvas State
    • Deploy the Infrastructure
  • AI Copilot
    • Example deployment using AI Copilot
    • AI Copilot pre-defined prompts
  • Additional resources
    • Explainer video
    • Short video on AI Copilot
    • Quick walkthrough videos
    • Walkthrough of deployment of AWS EKS
  • Examples
    • Deploy AWS Firewall and Networking with QMCLOUD
      • Application and landing zone components
      • List of landing zone components
      • Deployment steps
      • VPC configuration details
      • Routing configuration details
      • Firewall configuration
      • Additional components configuration
    • Securing applications in AWS using Palo Alto firewall
  • Templates
    • AWS Landing Zone
    • AWS EKS
    • Azure Web App
Powered by GitBook
On this page

Was this helpful?

  1. Examples
  2. Deploy AWS Firewall and Networking with QMCLOUD

Routing configuration details

The following routing configuration was used in the sample deployment

In AWS the following components are required to programmatically create the routing infrastructure:

  1. Route - The route defines the destination CIDR block. The destination gateway is either defined inline as a property or via connection to a gateway

  2. Route Table - The route table is associated with the VPC

  3. Route Table Association - The association component connects the route, route table and the appropriate subnets

  4. NAT Gateway - NAT Gateway allows resources on the private subnet to access the Internet NAT and Internet gateway

  5. EIP - Elastic IP associated with the NAT Gateway

Routes and Route Table

Besides the local routes for the VPC CIDR Blocks, the following routes are defined.

  1. Private Subnet - 0.0.0.0/0 to NAT Gateway

  2. Protected Subnet - 0.0.0.0/0 to VPCE-xxx (this is the VPC Endpoint for the firewall)

  3. Public Subnet - 0.0.0.0 to Internet Gateway

  4. IGW Route table - This is a special route table that's unique where the route table is defined by associating the IGW under Edge Associations (instead of a subnet). For forwarding all ingress traffic to the protected subnet, we add a route for 172.21.30.0/23 (the protected subnet CIDR block) and add the next hop as VPCE-xxx (this is the VPC Endpoint for the firewall)

In summary:

All egress traffic from the private subnet is forwarded to the NAT gateway and eventually to the firewall.

All ingress traffic from the Internet that is passed through the IGW, is forwarded to the firewall for inspection. Once the firewall inspects the traffic, it forwards the traffic to the load balancer in the protected subnet in the sample deployment.

Connections:

The following diagram depicts the appropriate connections. QMCLOUD offers "Auto Connections" feature that connects most commonly used connections on the canvas automatically thus reducing the effort required by the end users.

You will need to either use auto connection or manually connect each of the remaining subnets and the corresponding routing components. Note that the public subnet connects to the Internet Gateway as shown in the summary section diagram.

PreviousVPC configuration detailsNextFirewall configuration

Last updated 2 years ago

Was this helpful?

Defining connections (Dependencies) for VPC, Subnet and Routing components