Firewalls, Firewalls, Firewalls

Our IT teams work hard to secure our environments and they are doing a good job at it!

The downside for you: you have to jump through some hoops to wire everything together and, since you are here, you probably don't know where to start.

No worries, we got you covered.

Firewall discussion

TLDR: Just tell me how to set this up

In short: - Create a PR at https://github.com/PIT-PASSAT-Community/tf-firewall-rules - If OnPrem or VPN need to be included: Create a Support ticket: https://statista.service-now.com/esc - Ticket Template

The challenge or "Why is this so complicated?"

Let's shed some light on the setup, so instead of complicated, we can say complex:

By design, our AWS infrastructure is isolated from our on premise infrastructure. They are connected by a redundant VPN tunnel but for security reasons, all traffic is blocked by default.

We run many different workloads for dev, stage & prod in both worlds and need to carefully control which systems communicate with each other. Therefore, every connection needs to be explicitly allowed and reasoned for.

At the time of this blog post, we are operating 113 AWS accounts and are running around 200 VMs at the Hamburg office. Furthermore, we have to control access to these resources for over 1000 employees.

See where this is going?

Infrastructure Setup

For networking and routing for AWS, we have to look at the following two main components: - Hamburg Office Firewall (Fortigate) - Our Central Networking AWS account (Hub)

Let this picture speak for itself:

AWS Office connection

This is an example of two AWS accounts that are connected to each other via the central networking account:

This is fine

We are not going deeper into routing tables, inspection VPCs and transit gateways and VPN groups now, but this is why it is "complicated". There are many moving parts in our infrastructure.

For more details, check out the next section.

AWS Networking Immersion Day

For a deep dive, you can refer to slides from our AWS Networking Workshop held in 2025:

Connection Scenarios

AWS Account <--> AWS Account

To allow communication between AWS accounts, add firewall rules to this repository: https://github.com/PIT-PASSAT-Community/tf-firewall-rules

Just refer to existing rules, then it will be easy to duplicate and adapt to your needs. After merging, the pipeline will automatically deploy your rules.

AWS Account <---> OnPrem

Same repository as above, but you need to know the IP address of the OnPrem server. They are usually in the ranges 10.40.0.0/24 or 10.40.1.0/24 but IT will likely ask you to specify the server IP directly (as /32).

In addtion, you need to open a ticket with IT Support at https://statista.service-now.com/esc! (Feel free to use the template below to speed things up)

The OnPrem Infrastructure team will create a firewall rule on the Hamburg Office Firewall, allowing traffic to/from AWS via the Site-to-Site VPN (this is not your VPN client but the connection between Office & the network account, as seen in the diagram above).

AWS Account <---> Client VPN

Same process as for OnPrem. The VPN range to allow traffic to/from is "10.100.240.0/22". Once you login to your forticlient VPN, you will receive an IP address from that range. Don't forget the support ticket.

IT Support Ticket Template

When you need to request firewall changes or VPN/OnPrem access, use the following template for your IT Support ticket:

Subject: Firewall Rule for AWS <-> VPN/OnPrem Access

Description:

AWS Account Name/ID: [Insert AWS Account Name/ID]
Source IP/Range: [e.g., 10.100.240.0/22 for VPN or specific OnPrem IP]
Destination IP/Range: [e.g., AWS resource IP or CIDR]
Ports/Protocols: [e.g., TCP 443]
Direction: [Inbound/Outbound/Both]

Additional Notes: - Please coordinate with the CDX team if further information is required.

Copy and fill out this template when opening a ticket at Statista IT Support.

Last updated: March 27, 2026 at 14:01

By: Nico Greuel

📄 View source

Repository: PIT-PASSAT-Community/tf-firewall-rules