Public / DMZ Subnets Guardrails Overview


Turbot provides guardrails for managing public / DMZ subnets from automating networking configurations to preventing provisioning of instances in public subnets. The following is an overview to provide awareness of Turbot’s public / DMZ subnet guardrails.

Networking Configurations

  • This feature has been depreciated in version 3.0. Refer to Networking Guardrails for more information about current features.

Within the Network Admin Page, Turbot Admins can manage which VPCs have public / DMZ Subnets. When creating a VPC, you can easily specify external facing subnet CIDRs of the VPC through the “DMZ Subnets” section. Or if it is an existing VPC, you can add public subnets to the VPC by issuing a Turbot API call to add additional DMZ subnets:

curl --request PATCH --header "Content-Type: application/json" --url --user 0436c20a-7cd2-44b1-a31f-3bed7dbc6ded:af9781d4-08b7-4b6d-a4df-fb0d693d0fd2 -H "Connection: keep-alive" -d '{"subnets":{"dmz":"-\n-"}}'

When DMZ Subnets are pushed to the VPC, Turbot automatically creates an IGW, the specified subnets, and updates the routing tables in the VPC to reflect your Internet Boundaries (e.g. will route through the IGW.

Allow DMZ Instances Options

Turbot provides preventive controls to prevent users from provisioning instances in the public / DMZ subnets for specific AWS Services. If you are using public subnets and need to allow users to provision instances in them, you will need to Enable the following options as applicable:

  • EC2 > Allow DMZ Instances - Allow EC2 instances to be launched in the DMZ subnets.
  • ElastiCache > Allow DMZ Clusters - Allow ElastiCache clusters to be launched in the DMZ subnets.
  • AWS > RDS > Allow DMZ Instances - Allow RDS instances to be launched in the DMZ subnets.
  • Redshift > Allow DMZ Clusters - Allow Redshift clusters to be launched in the DMZ subnets.
Was this article helpful?
0 out of 0 found this helpful