Create an approval process for firewall requests during a rehost migration to AWS

Created by Srikanth Rangavajhala (AWS)

R Type: Rehost	Environment: Production	Technologies: Migration
Source: On premises	Target: AWS Cloud

Summary

If you want to use AWS Application Migration Service or Cloud Migration Factory on AWS for a rehost migration to the Amazon Web Services (AWS) Cloud, one of the prerequisites is that you must keep TCP ports 443 and 1500 open. Typically, opening these firewall ports requires approval from your information security (InfoSec) team.

This pattern outlines the process to obtain a firewall request approval from an InfoSec team during a rehost migration to the AWS Cloud. You can use this process to avoid rejections of your firewall request by the InfoSec team, which can become expensive and time consuming. The firewall request process has two review and approval steps between AWS migration consultants and leads who work with your InfoSec and application teams to open the firewall ports.

This pattern assumes that you are planning a rehost migration with AWS consultants or migration specialists from your organization. You can use this pattern if your organization doesn’t have a firewall approval process or firewall request blanket approval form. For more information about this, see the Limitations section of this pattern. For more information on network requirements for Application Migration Service, see Network requirements in the Application Migration Service documentation.

Prerequisites and limitations

Prerequisites 

• A planned rehost migration with AWS consultants or migration specialists from your organization

• The required port and IP information to migrate the stack

• Existing and future state architecture diagrams

• Firewall information about the on-premises and destination infrastructure, ports, and zone-to-zone traffic flow

• A firewall request review checklist (attached)

• A firewall request document, configured according to your organization’s requirements

• A contact list for the firewall reviewers and approvers, including the following roles:

  • Firewall request submitter – AWS migration specialist or consultant. The firewall request submitter can also be a migration specialist from your organization.

  • Firewall request reviewer – Typically, this is the single point of contact (SPOC) from AWS.

  • Firewall request approver – An InfoSec team member.

Limitations 

• This pattern describes a generic firewall request approval process. Requirements can vary for individual organizations.

• Make sure that you track changes to your firewall request document.

The following table shows the use cases for this pattern.

Does your organization have an existing firewall approval process?	Does your organization have an existing firewall request form?	Suggested action
Yes	Yes	Collaborate with AWS consultants or your migration specialists to implement your organization’s process.
No	Yes	Use this pattern’s firewall approval process. Use either an AWS consultant or a migration specialist from your organization to submit the firewall request blanket approval form.
No	No	Use this pattern’s firewall approval process. Use either an AWS consultant or a migration specialist from your organization to submit the firewall request blanket approval form.

Architecture

The following diagram shows the steps for the firewall request approval process.

Tools

You can use scanner tools such as Palo Alto Networks or SolarWinds to analyze and validate firewalls and IP addresses.

Epics

Analyze the firewall request

Task	Description	Skills required
Analyze the ports and IP addresses.	The firewall request submitter completes an initial analysis to understand the required firewall ports and IP addresses. After this is complete, they request that your InfoSec team opens the required ports and maps the IP addresses.	AWS Cloud engineer, migration specialist

Validate the firewall request

Task	Description	Skills required
Validate the firewall information.	The AWS Cloud engineer schedules a meeting with your InfoSec team. During this meeting, the engineer examines and validates the firewall request information. Typically, the firewall request submitter is the same person as the firewall requester. This validation phase can become iterative based on the feedback given by the approver if anything is observed or recommended.	AWS Cloud engineer, migration specialist
Update the firewall request document.	After the InfoSec team shares their feedback, the firewall request document is edited, saved, and re-uploaded. This document is updated after each iteration. We recommend that you store this document in a version-controlled storage folder. This means that all changes are tracked and correctly applied.	AWS Cloud engineer, migration specialist

Submit the firewall request

Task	Description	Skills required
Submit the firewall request.	After the firewall request approver has approved the firewall blanket approval request, the AWS Cloud engineer submits the firewall request. The request specifies the ports that must be open and IP addresses that are required to map and update the AWS account. You can make suggestions or provide feedback after the firewall request is submitted. We recommend that you automate this feedback process and send any edits through a defined workflow mechanism.	AWS Cloud engineer, migration specialist

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip