Background
The AWS Network Firewall is a managed service that makes it easy to control and monitoring connections within the Amazon Virtual Private Clouds (VPCs).
Use Case
My scenario was specific toward using a stateful and not stateless firewall as the network traffic coming in and going out needs to be evaluated.
Traffic needs to be going from the private or customer subnet, to the firewall subnet, if allowed the traffic will then go on to the internet gateway. When traffic comes back from the internet gateway, it needs to goes through the firewall subnet or (Endpoint/VPCE).
Architecture
I will be using a single AWS zone, with an internet gateway and the network firewall. I will have a two separate subnets, one which is private and the other which is public. Specific entries in the route tables will control outbound traffic in terms of whether it goes through the firewall before going to the public internet.
VPCs
10.10.0.0/16
Subnets
Private/Customer-subnet 10.10.1.0/24
Firewall-subnet 10.10.3.0/24
Route Tables
CustomerSubnet-RT
Firewall-RT
Internet-gw-rt
Lets Build
Head over to the AWS console, under VPC | Firewalls
Network Firewall Rule Groups
We will go to Network Firewall Rule Groups, and create a new firewall group.
Below is my basic sample config, where I am wishing to block traffic to the single domain google.com for demo purposes. If you have questions about what the value of capacity should be, there is extensive documentation from AWS by search for rule group capacity.
Firewall Policies
Next we will create a new firewall policy.
Below is my basic sample config, where I am specifying actions, rule order and default actions. Since we already created the fire rule group earlier, we can now add that from an existing group.
Firewall
Lets now create a firewall, we will need a name, VPC, Availability Zones, Subnets and an associated firewall policy. See below for my sample config.
AWS Endpoints - VPCE
When the AWS Firewall is created or provisioned, it also creates an new endpoint under VPC | Endpoints. We will be using the network interface (eni) in the next step as we update some route tables.
Update the Routes under the VPC Route Table
We will first update the firewall route table or in my example is called Firewall-RT. We need to add new route table entry for the destination 0.0.0.0/0 with a target of the internet gateway (igw-).
Next we need to update the private or CustomerSubnet-RT route table. We will add or update the destination 0.0.0.0/0 with a target of network interface. Remember, this is the network interface or (eni) from above under the AWS endpoints. If you are unsure you can go and look it up.
Next we can update our internet gateway route table, which only has a single route table entry for the destination 10.0.0.0/16 with a target of local. We will select edge associations and choose the internet gateway or (igw-).
Finally we can update our firewall route table, or in my case its called Firewall-rt. I added a new route table entry, with the destination of 10.10.1.0/24 which is my Private/Customer-subnet, the target will be the same Network Interface or (eni) that was used above when we updated the private/CustomerSubnet-RT route table. We are doing this as we want any traffic coming in to go through the firewall subnet.
Testing
For my simple testing, I used both a Windows and a Linux EC2 instance, launched in the Private/Customer Subnet. Then tried to visit the website https://www.google.com which was blocked until I removed the domain from my network firewall rule group.
Top comments (0)