AWS Network Firewall is the recently launched, fully managed, highly available, and scalable managed network by AWS, providing security for the VPC’s workloads.
- AWS Network Firewall is an intrusion prevention system (IPS) that provides active traffic flow inspection by which it helps us detect intrusion for VPC.
- It is a managed service that makes us easy to deploy essential network protection for the VPC’s workloads. So, we do not don’t have to worry about deploying and managing any infrastructure.
- AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.
- AWS Account
- Two subnets
- One for Network firewall
- One for the Main subnet
- Three Route tables
- One for Internet Gateway
- One for Main Subnet
- One for Network firewall
3. AWS Services Used:
- Network Firewall Rule Group
- Firewall policies
- Route Table
- Internet Gateway
- Windows EC2 instance
4. Resources in AWS providing similar Security Services:
Before going deep inside the AWS network firewall. Let us see the capabilities we have in terms of security for the VPC.
- Security Groups
- Instance level
- The rules will evaluate the traffic coming to the instance and going out of the instances
- Network control list
- Subnet-level security.
- We can add stateful rules where we can evaluate the traffic going in and out from the subnets
- AWS WAF
- It provides the security for the web application running on the APIs, CloudFront, and Load Balancers.
- AWS Shield
- Gives security against DDOS attacks.
There is no easier way to scale network security across all your resources in your workloads regardless of which AWS service you use.
So far, how the traffic is routed to the subnet is:
- Whenever traffic comes from the internet, it is routed directly through the Internet Gateway to the subnet.
- Any traffic going out of the subnet will go directly to IGW and route to the internet
There was no middleman or service to inspect the Internet gateway and subnet traffic
There was no capability to restrict the traffic to the specific URL
- To solve this problem, AWS launched a new security service called Network Firewall, which provides network security to the user across all your resource workloads regardless of which AWS service you use
AWS Network Firewall is a highly available and scalable managed network by AWS, providing security for the VPC’s workloads
- Network Firewall provides capability on URL filtering
How Traffic Flow inspection is Achieved:
The way Traffic Flow inspection is Achieved here is:
- It will create a new subnet in our VPC in our availability zone in a particular region
- It will create a VPC endpoint in the subnet called the firewall subnet
- Whenever any traffic comes to the subnet or goes out of the subnet, the traffic is passed through the network Firewall subnet where the network firewall is present
- It will inspect the traffic using the defined policies and rules described and pass the traffic in and out.
- In this way, it provides VPC-level security
In this blog, we are going to deploy the Network Firewall according to the architecture below.
5. Deployment Architecture:
6. Overview of steps involved:
- We are going to create a Network Firewall inside the firewall subnet, and One windows EC2 instance in the main public subnet. we are going to restrict the traffic coming from the URL. Then SSH into the instance and check whether the URL is opening in the browse or not.
- Before Beginning the Firewall creation, make sure there should be a few resources created like:
- One VPC.
- Two subnets, one for Main resource allocation and one for Network Firewall, respectively
- 3 Route tables, one for Internet gateway, one for the Main subnet, one for Network Firewall
Please follow the values of Ip addresses given in the Architecture diagram to avoid confusion.
7. Step by Step Guide to Provisioning AWS Network Firewall:
Step 1: Go to the AWS console and go to the VPC page. Select the Network Firewall Rule policy
Step 2: Select Create Network Rule policy
Here, you can see there are two Rule Groups
- stateless rules
- The traffic is evaluated whenever the traffic comes into the subnet. It won’t be evaluated when traffic comes out from the subnet
- stateful rules
- The traffic will be evaluated in both directions
You can see there are three types of rules in the stateful rule group.
We have three options:
2: Domain list
3: Suricata computable IPS rules
In 5-tupple you need to provide the below options:
- Transport protocol. Choose the protocol that you want to inspect. For all protocols, you can use IP, because all traffic on AWS and on the internet is IP
2: source Ip
- Source Ip and Range. Traffic should come from the source address provided in the list
3: Source port:
- Source ports and port ranges. If specified, a packet must have a source port that’s included in this list to match
- Destination IP addresses and ranges. If specified, a packet must have a destination address that’s included in this list to match
5: Destination Port:
- Destination ports and port ranges. If specified, a packet must have a destination port that’s included in this list to match
- packets whose origination matches the rule’s destination settings, and whose destination matches the rule’s source settings
- Any traffic whose origination matches with the rule’s source setting and destination matches with the destination port mentioned in the rule setting will be forwarded.
1: Pass (the traffic will be allowed)
2: Drop (the traffic will be denied)
3: Alert (alert will be initiated in log groups or in CloudWatch)
In DOMAINLIST you need to provide details for the below option
- Domain Name Source
- provide the URL of the website to which we need to block the traffic
- Choose the protocol either HTTP or HTTPS
- Choose the option to Allow or Deny
Coming to STATELESS RULES:
Need to provide details for:
In ADD Rule
You will get the Same options in stateless rules like stateful rule.
- Lower priority rule will be evaluated first than the higher priority rules.
NOTE: If any rule is evaluated and matched, then it won’t evaluate any further rules.
- source Ip
- Source port:
- Destination Port:
Choose according to the above-mentioned rules what Action you want to. take.
Step 3: Select Stateful Rules Option. There Select Domain list option.
Step 4: Here provide the name “Stateful-Rule”. Provide “cloudthat.com” in the domain name source.
- Provide the Firewall subnet CIDR value in the source range.
- Select Create Stateful rule group below
Step 5: Create Firewall Policies. Give any name, Click Next.
Step 6: In Add rule Groups, scroll down to the stateful group section, and add the Stateful group created in step 4. Add Rule Groups. Select the Stateful-Rule And click Add Rule Groups.
Step 7: Select Next, Again Next. Finally, create the Network policy.
Step 8: Create Network Firewall. Select The Network policy we created in the above steps. Give A name to Firewall.
Select VPC main. Provide the availability zone as us-east
-2a. Select Firewall subnet.
Select the Associate an Existing Firewall policy radio button and select your Network policy created in step 7. Click Create Firewall.
Step 9: Make sure You have done the subnet associated with the respective route table.
- That is, Associate main subnet with main route table and Firewall subnet with firewall route table.
- Provision one Internet Gateway and attach it with the Main VPC.
Step 10: Create on windows instance in the main subnet and browse for cloudthat.com.
Step 11: Now, edit the routes in the routing table. Attach the IGW route to the firewall subnet and attach a copy network interface from the endpoint to the Main subnet.
- Create one Route table with the name “internet-gateway-route-table.”
Add internet gateway in edge association of the “internet-gateway-route-table” route table created before.
Add Main subnet CIDR value in Destination and VPC network interface in the target in the “internet-gateway-route-table.”
Routes of IGW route table.
Routes of Firewall route table
Route of the main route table
Edge association of IGW route table.
Thus, we have configured the routes in such a way that, any traffic that comes to the main subnet from the internet gateway should pass through the Firewall subnet and vice versa.
Now check the Cloudthat.com in windows instance.
Successfully we blocked the traffic from that site.
AWS Network Firewall decreases the risk to the internal network and workloads, providing better security for the services to keep it private. I hope that this post helped clarify the Concepts of the AWS Network Firewall.
9. About CloudThat:
CloudThat is AWS (Amazon Web Services) Advanced Consulting Partner, AWS authorized Training Partner, Microsoft Gold Partner, and Winner of the Microsoft Asia Superstar Campaign for India: 2021.
We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere to advance in their businesses.
To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat’s offerings. Then, you can quickly get in touch with our highly accomplished team of experts to carry out your migration needs. Feel free to drop a comment or any queries that you have about AWS Network Firewall, provisioning Network Firewall, or security, we will get back to you quickly.
Q1. What is an important advantage of AWS Network Firewall?
Ans: AWS Network Firewall is an intrusion protection service where Inspection of the Inbound traffic will be going to achieve at the entrance, that is before the traffic reach the subnet.
Q2. What are the capabilities, in terms of security for the services and workloads in AWS?
Ans: We have a few services like Security Groups, which provide security for the instance level. Network Control List, which provides the security for the Subnet level. AWS WAF provides the security for the workload or applications that are running on the CloudFront, load balancers, and API. AWS shield provides security against DDoS attacks.