Logo of Trend Micro

VPC Peering Routing Tables

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Review the route tables configured for your peered Virtual Private Networks (VPCs) to determine if the VPC peering connection configuration is using least access routing policies. For example, a least access routing policy could be one that limits routing to specific subnets or hosts instead of allowing routing between the entire CIDR block of each VPC available within the peering connection.

Security

Having the route tables associated with your VPC peering connection configured to allow traffic only between specific resources represents an effective way of minimizing the impact of security breaches as cloud resources outside of these routes become inaccessible to the peered VPC.

As an example, this guide uses a routing policy that limits peering traffic between two specific hosts running within the peered VPCs as the desired least access routing policy.

Audit

To determine if the route tables configured for your peered VPCs are using least access routing policies, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Virtual Private Cloud (VPC) console available at https://vpc.console.aliyun.com/overview.

03 In the left navigation panel choose VPC Peering Connection to view your VPC peering connections.

04 Select the appropriate cloud region from the top navigation bar.

05 Click on the ID (link) of the VPC peering connection that you want to examine, listed in the Peering Connection ID/Name column.

06 Select the Route Entry List tab and check the configuration value available in the Destination CIDR Block column for each route created for the selected VPC peering connection. If the Destination CIDR Block value for one or more routes is an entire IPv4 CIDR block of the peer VPC, such as 172.16.0.0/16, or an IPv4 range, such as 172.16.1.0/24, the selected VPC peering connection is not configured to use least access routing policies. A least access routing policy limits peering traffic to a specific IPv4 address such as 172.16.20.105/32.

07 Repeat steps no. 5 and 6 for each VPC peering connection available within the selected cloud region.

08 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run ListVpcPeerConnections command (OSX/Linux/UNIX) to describe the configuration information available for each VPC peering connection created in the specified cloud region: 

aliyun vpcpeer ListVpcPeerConnections --RegionId 'eu-west-1'

02 The command output should return the requested information (including the requester VPC ID: "VpcPeerConnects.Vpc.VpcId" and the accepter VPC ID: "VpcPeerConnects.AcceptingVpc.VpcId"): 

{
	"VpcPeerConnects": [
		{
			"AcceptingOwnerUid": 1234567890123456,
			"AcceptingRegionId": "eu-west-1",
			"AcceptingVpc": {
				"VpcId": "vpc-abcd1234abcd1234abcda"
			},
			"Bandwidth": -1,
			"BizStatus": "Normal",
			"GmtCreate": "2024-02-28T15:55:28Z",
			"GmtModified": "2024-02-28T15:55:30Z",
			"InstanceId": "pcc-1234abcd1234abcd12",
			"Name": "tm-vpc-peering-connection",
			"OwnerId": 1234567890123456,
			"RegionId": "eu-west-1",
			"ResourceGroupId": "rg-abcdv1234abcd14",
			"Status": "Activated",
			"Vpc": {
				"VpcId": "vpc-1234abcd1234abcd1234a"
			}
		}
	],
	"MaxResults": 20,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 1,
}

03 Run DescribeRouteTableList command (OSX/Linux/UNIX) using the ID of the requester/accepter VPC as the identifier parameter, to describe the configuration information available for each route table defined for the selected VPC: 

aliyun vpc DescribeRouteTableList --RegionId 'eu-west-1' --VpcId 'vpc-1234abcd1234abcd1234a'

04 The command output should return the requested information (including the route table ID, i.e. "RouterTableList.RouterTableListType.RouteTableId"): 

{
	"RouterTableList": {
		"RouterTableListType": [
			{
				"AssociateType": "VSwitch",
				"CreationTime": "2024-01-25T08:27:25Z",
				"Description": "",
				"GatewayIds": {
					"GatewayIds": []
				},
				"OwnerId": 1234567890123456,
				"ResourceGroupId": "rg-abcdv1234abcd14",
				"RoutePropagationEnable": true,
				"RouteTableId": "vtb-abcdabcdabcdabcdabcda",
				"RouteTableName": "",
				"RouteTableType": "System",
				"RouterId": "vrt-123412341234123412341",
				"RouterType": "VRouter",
				"Status": "Available",
				"VSwitchIds": {
					"VSwitchId": [
						"vsw-1234abcd1234abcd1234a"
					]
				},
				"VpcId": "vpc-1234abcd1234abcd1234a"
			}
		]
	},
	"Success": true,
	"TotalCount": 1,
	"Code": "200",
	"Message": "successful",
	"PageNumber": 1,
	"PageSize": 10,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

05 Run DescribeRouteEntryList command (OSX/Linux/UNIX) using the ID of the route table that you want to examine as the identifier parameter, to describe the custom routes created for the selected route table: 

aliyun vpc DescribeRouteEntryList 
  --RegionId 'eu-west-1' 
  --RouteTableId 'vtb-abcdabcdabcdabcdabcda' 
  --RouteEntryType Custom

06 The command output should return the requested configuration information: 

{
	"RouteEntrys": {
		"RouteEntry": [
			{
				"Description": "",
				"DestinationCidrBlock": "172.16.0.0/16",
				"GmtModified": "2024-02-28T16:02:34Z",
				"IpVersion": "ipv4",
				"NextHops": {
					"NextHop": [
						{
							"NextHopId": "pcc-1234abcd1234abcd12",
							"NextHopRelatedInfo": {},
							"NextHopType": "VpcPeer"
						}
					]
				},
				"Origin": "CustomCreate",
				"RouteEntryId": "rte-123412341234123412341",
				"RouteEntryName": "tm-accept-vpc-route",
				"RouteTableId": "vtb-abcdabcdabcdabcdabcda",
				"ServiceType": "",
				"Status": "Available",
				"Type": "Custom"
			}
		]
	},
	"NextToken": "",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

Check the "DestinationCidrBlock" attribute value for each route entry returned by the DescribeRouteEntryList command output. If the "DestinationCidrBlock" value for one or more routes is an entire IPv4 CIDR block of the peer VPC, e.g. 172.16.0.0/16 (as shown in the output example above), or an IPv4 range, such as 172.16.1.0/24, the selected VPC peering connection is not configured to use least access routing policies. A least access routing policy limits peering traffic to a specific IPv4 address such as 172.16.20.105/32.

07 Repeat steps no. 3 and 4 for each VPC network available in the selected cloud region.

08 Change the cloud region by updating the --RegionId command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that your VPC peering connections are using least access routing policies, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Virtual Private Cloud (VPC) console available at https://vpc.console.aliyun.com/overview.

03 In the left navigation panel choose VPC Peering Connection to view your VPC peering connections.

04 Select the appropriate cloud region from the top navigation bar.

05 Click on the ID (link) of the VPC peering connection that you want to configure and select the Route Entry List tab.

06 Choose Configure Route to create the replacement requester/accepter VPC route entry.

07 In the Configure Route setup box, ensure that the necessary VPC and Route Table are selected, provide a unique name for the new route, and configure the Destination CIDR Block. The new Destination CIDR Block must follow the Principle of Least Privilege (POLP) and replace the IPv4 CIDR block of the peer VPC, e.g. 172.16.0.0/16, with the IPv4 address of the specific instance that you want to limit peer traffic to, running within the requester/accepter VPC, e.g. 172.16.20.105/32. Choose OK to create your new, compliant route entry.

08 Choose the non-compliant route entry replaced at the previous step and select Delete. In the Delete Route Entry confirmation box, choose OK to confirm the removal.

09 Repeat steps no. 6 - 8 for each requester/accepter VPC route entry that you want to configure, created for the selected VPC peering connection.

10 Repeat steps no. 5 - 9 for each VPC peering connection available within the selected cloud region.

11 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

Using Alibaba Cloud CLI

01 Run CreateRouteEntry command (OSX/Linux/UNIX) to create a new, compliant route for the route table associated with your VPC peering connection. Follow the Principle of Least Privilege (POLP) to configure the --DestinationCidrBlock parameter and replace the IPv4 CIDR block of the peer VPC, e.g. 172.16.0.0/16, with the IPv4 address of the specific instance that you want to limit peer traffic to, running within the requester/accepter VPC, e.g. 172.16.20.105/32.: 

aliyun vpc CreateRouteEntry
  --RegionId 'eu-west-1'
  --RouteTableId 'vtb-abcdabcdabcdabcdabcda'
  --DestinationCidrBlock '172.16.20.105/32'
  --RouteEntryName 'tm-vpc-peer-secure-route'
  --NextHopId 'pcc-1234abcd1234abcd12'
  --NextHopType VpcPeer

02 If successful, the command output should return the ID of the new route entry: 

{
	"RouteEntryId": "rte-abc123abcd123abc123ab",
	"RequestId": "1234ABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Run DeleteRouteEntry command (OSX/Linux/UNIX) to delete the non-compliant route entry, replaced with the one created at the previous step: 

aliyun vpc DeleteRouteEntry 
  --RegionId 'eu-west-1' 
  --RouteTableId 'vtb-abcdabcdabcdabcdabcda' 
  --RouteEntryId 'rte-123412341234123412341'

04 If successful, the output should return the command request ID: 

{"RequestId":"1234ABCD-1234-ABCD-1234-ABCD1234ABCD"}

05 Repeat steps no. 1 - 4 for each requester/accepter VPC route entry that you want to configure, created for the selected VPC peering connection.

06 Repeat steps no. 1 - 5 for each VPC peering connection available within the selected cloud region.

07 Change the cloud region by updating the --RegionId command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 30, 2024

Related AlibabaCloud-VPC rules