How should they architect their solution to achieve these goals?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A web company is looking to implement an intrusion detection and prevention system into their deployed VPC.This platform should have the ability to scale to thousands of instances running inside of the VPC.

How should they architect their solution to achieve these goals?

Configure an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode packet sniffing to see an traffic across the VPC.

Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides.

Configure servers running in the VPC using the host-based ‘route’ commands to send all traffic through the platform to a scalable virtualized IDS/IPS.

Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.

Explanations:

Promiscuous mode packet sniffing on ENIs is not supported in AWS, so a single instance cannot capture all traffic across the VPC.

Routing traffic through a second VPC with a scalable IDS/IPS platform allows inspection of all traffic efficiently, providing centralized monitoring and scalability.

Modifying host route tables to send traffic to an IDS/IPS platform is complex, prone to configuration errors, and not scalable for thousands of instances.

Using host-based agents to forward all network traffic can cause high overhead, increased latency, and scalability challenges when dealing with thousands of instances.

2025-10-15

1 Comment

  1. Tiffany
    Author

    From my perspective, the answer is:
    Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides.

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty − 1 =