Amazon Web Service (AWS) - Trusted Internet Connection (TIC) Architecture

I have decided to deviate from my blog series about Non-Technical Cloud Barriers and talk about some of the solution architecture work JHC is performing for our Federal clients moving to Amazon Web Services.  One of the major design hurdles the Federal Government has to take into consideration when moving into the Cloud is how to implement Trusted Internet Connection (TIC).  What is Trusted Internet Connection?  Department of Homeland Security describes TIC as an initiative to:

“…optimize and standardize the security of individual external network connections currently in use by federal agencies, including connections to the Internet. The initiative will improve the federal government's security posture and incident response capability through the reduction and consolidation of external connections and provide enhanced monitoring and situational awareness of external network connections.” (You may also refer to OMB Memorandum M-08-05).  

My understanding is that currently, no public Cloud offerings have the capability/ability to natively provide TIC for their federal clients.  In most cases, internet traffic is routed back to the federal government datacenter and out a TIC router provided by a vendor through the vendor’s Managed Trusted Internet Provider Service (MTIPS).  Currently the following vendors are the only MTIPS providers available under the Networx contract:

• AT&T
• CenturyLink (formerly Qwest)
• Sprint
• Verizon Business

For Federal Agencies looking to expand and/or move all infrastructure operations into the Cloud, but still need to maintain a physical datacenter to allow for a TIC vendor provided router, it is not cost effective and from a networking prospective it is inefficient.  Using AWS features, JHC has been able to design a TIC solution that removes the requirement for Agencies to have to maintain physical datacenters for TIC compliance while providing a TIC solution that is High Availability and has built-in Disaster Recovery.  Below is a high level overview and sample architecture of the TIC Solution:

1. Utilize AWS Regions in US East and/or GovGloud
2. Deploy Virtual Private Cloud (VPC) within the AWS Region and associate subnets across Availability Zones.
3. Within your VPC deploy EC2 virtual routers and EC2 web content filters across Availability Zones for high availability and disaster recovery.
4. Establish VPN connection between your agency and EC2 virtual router.
5. (Optional) for additional high availability and disaster recovery connect your AWS regions via EC2 virtual router and load balance user internet traffic across the US.
6. Use AWS Direct Connect feature to route your internet traffic to Equinix facility in either Seattle Washington and/or Ashburn, VA utilizing AWS Virtual Private Gateway.
7. Drop TIC provider router into Equinix and connect AWS Direct Connect Router to TIC Router

James Hirmas is the CEO for JHC Technology.  He can be reached at jhirmas (at) jhctechnology.com,@JHC_JamesHirmas, or connect with him on LinkedIn.