Firewalls, Firewalls, Firewalls
Our IT teams work hard to secure our environments and they are doing a good job at it! The downside for you: you have to jump through some hoops to wire everything together and, since you are here, you probably don't know where to start. No worries, we got you covered.
Table of Contents
- TLDR: Just finally tell me how to set this up - The challenge or "Why is this so complicated?" - The Setup - AWS Networking Immersion Day - AWS Account <--> AWS Account - AWS Account <--> OnPrem - AWS Account <--> CLient VPN
TLDR: Just tell me how to set this up
- Create a PR at https://github.com/PIT-PASSAT-Community/tf-firewall-rules
- If OnPrem or VPN need to be included: Create a Support ticket: https://statista.service-now.com/esc
The challenge or "Why is this so complicated?"
Let's shed some light so instead of complicated, we can say complex: By design, our AWS infrastructure is isolated from our on premise infrastructure. They are connected by a redundant VPN tunnel but for security reasons, all traffic is blocked by default.
We run many different workloads for dev, stage & prod in both worlds and need to carefully control which systems communicate with each other. Therefore, every connection needs to be explicitly allowed and reasoned for.
At the time of this blog post, we are operating 113 AWS accounts and are running around 200 VMs at the Hamburg office. Furthermore, we have to control access to these resources for over 1000 employees.
See where this is going?
The Setup
For networking and routing, we have to look at the following two main components: - Hamburg Office Firewall (Fortigate) - Our Central Networking AWS account (Hub)
Let this picture speak for itself:
This is an example of two AWS accounts that are connected to each other via the central networking account:
We are not going deeper into routing tables, inspection VPCs and transit gateways and VPN groups now, but this is why it is "complicated". There are many moving parts in our infrastructure. For more details, check out the next section.
AWS Networking Immersion Day
For a deep dive, you can refer to slides from our AWS Networking Workshop held in 2025:
- AWS Networking Immersion Day - Module 0 - Agenda and Intro.pptx
- AWS Networking Immersion Day - Module 1 - Networking Fundamentals.pptx
- AWS Networking Immersion Day - Module 2 - Multi-VPC Architecture.pptx
- AWS Networking Immersion Day - Module 3 - Security Controls.pptx
AWS Account <--> AWS Account
To allow communication between AWS accounts, add firewall rules to this repository:
https://github.com/PIT-PASSAT-Community/tf-firewall-rules
Just refer to existing rules, then it will be easy to duplicate and adapt to your needs. After merging, the pipeline will automatically deploy your rules.
AWS Account <--> OnPrem
Same repository as above, but you need to know the IP address of the OnPrem server. They are usually in the ranges:
10.40.0.0/24
10.40.1.0/24
In addtion, you need to open a ticket with IT Support at https://statista.service-now.com/esc! (Feel free to use the template below to speed things up)
The OnPrem Infrastructure team will create a firewall rule on the Hamburg Office Firewall, allowing traffic to/from AWS via the Site-to-Site VPN (this is not your VPN client but the connection between Office & the network account, as seen in the diagram above).
AWS Account <--> Client VPN
Same process as for OnPrem. The VPN range to allow traffic to/from is
10.100.240.0/22
IT Support Ticket Template
When you need to request firewall changes or VPN/OnPrem access, use the following template for your IT Support ticket:
Subject: Firewall Rule for AWS <-> VPN/OnPrem Access
Description:
- AWS Account Name/ID: [Insert AWS Account Name/ID]
- Source IP/Range: [e.g., 10.100.240.0/22 for VPN or specific OnPrem IP]
- Destination IP/Range: [e.g., AWS resource IP or CIDR]
- Ports/Protocols: [e.g., TCP 443]
- Direction: [Inbound/Outbound/Both]
Additional Notes: - Please coordinate with the CDX team if further information is required.
Copy and fill out this template when opening a ticket at Statista IT Support.