Skip to main content

Forward Networks parse, processes and normalizes the snapshot details gathered.  You have heard this term over and over again.  Let’s use this method to see all of the subnets across all AWS, GCP and Azure deployments.  

This NQE query is based upon the example in the DataModel for 

network → cloudAccounts → vpcs → subnets → ifaces

 

/**
* @intent Enumerate the Routing Table for all Cloud Providers
* @description Enumerate the Routing Table for all Cloud Providers. The notModeled column indicates the ipAddress is not modeled.
*/

ipModeled(ipAddress) =
foreach cloudAccount in network.cloudAccounts
foreach vpc in cloudAccount.vpcs
foreach subnet in vpc.subnets
foreach iface in subnet.ifaces
where ipAddress in iface.ipAddresses
select iface.ipAddresses;

foreach cloudAccount in network.cloudAccounts
foreach vpc in cloudAccount.vpcs
foreach routeTable in vpc.routeTables
foreach route in routeTable.routes
where isPresent(route.nextHop)
let nextHop = route.nextHop
let ipAddress = when nextHop is
ipAddress(ipAddressData) -> ipAddressData;
otherwise -> null : IpAddress
let modeledIP = ipModeled(ipAddress)
select {
clouType: cloudAccount.cloudType,
cloudAccountName: cloudAccount.name,
vpcName: vpc.name,
vpcId: vpc.id,
region: vpc.cloudRegions,
routeTableId: routeTable.id,
tags: route.tags,
routeType: route.routeType,
nextHopAlternative: if isPresent(route.nextHop)
then when route.nextHop is
internet -> "internet";
ipAddress -> "ipAddress";
local -> "local";
refObj -> "refObj";
unknown -> "unknown"
else "null",
// nextHopIP: ipAddress,
routePrefix: route.prefixes,
routeSubnet: route.subnetIdMatch,
priority: route.priority,
inactive: route.inactive,
notModeled: length(modeledIP) > 0
}

The violation in the last column, notModeled, allows you to find the nextHopIp addresses that are not modeled.  The NQE with a violation column could be added to the NQEs analyzed during snapshot analysis to ensure that the entire cloud network is modeled. 

The routePrefix allows filtering for particular subnets and where they are configured.  A typical issue is where the routeType is always static across all RouteTableIds and may end up in a loop.  

Or, if converting to dynamic routing, find all of the static routes. 

One could use this output, combined with the patternMatch function shown in the “VPC Route Peers - Not Modeled” NQE query to create your own custom NQE report.

Filter on nextHopAlternative “internet” to find where the 0.0.0.0/0 routes are pointing to the Internet.  

Once you have a report with all the network details, what would you do with it?  Perhaps determine if a subnet is defined in multiple AWS Regions for fault tolerance?  Is this an NQE that would be valuable? 

Be the first to reply!

Reply