Detailed Guide to Provision AWS Network Firewall using Terraform

September 22, 2022 | Comments(0) |

TABLE OF CONTENT

1. Introduction
2. Prerequisites
3. AWS Services Used
4. Deployment Architecture Diagram
5. Step by Step Guide to execute Terraform Code
6. Conclusion
7. About CloudThat
8. FAQs

 

1. Introduction

AWS Network Firewall is the recently launched, fully managed, highly available, and scalable managed network by AWS, providing security for the VPC’s workloads. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts. In the previous blog, we learned about detailed Manual Provisioning of AWS Network Firewall.

Today, we will automate the Provisioning of AWS Network Firewall using Infrastructure as a code DevOps Tool, i.e., Terraform.

Advantages of Terraform:

  • Terraform is an open-source Infrastructure-as-Code (IaC) software tool that enables us to create, update and improve Infrastructure in many Cloud Platforms like AWS, Azure, and GCP.
  • Terraform Support Reuse of the code.
  • We can Provision many numbers physical resources with a single command.
  • Terraform has Idempotent property. That is, the state of the infrastructure is saved in local machines. The second application results in 0 changes.

Learn more about Continuous Integration to Automate Terraform modules with GitHub Action as IaC Pipelines here.

2. Prerequisites

  • Any Linux instances
  • AWS root account
  • Terraform should be Preinstalled in the Linux machine
  • AWS CLI

3. AWS Services Used

  • AWS Network Firewall
  • AWS Network Firewall policy
  • AWS Network Firewall Rule Groups
  • VPC
  • Subnets
  • Route Table
  • Internet Gateway
  • Windows instance

4. Deployment Architecture

Architecture Diagram

5. Step by Step Guide to Execute the Terraform Code

We are going to Construct the Terraform code in the Linux machine in Modular Format then we execute the code using Terraform Commands.

Step 1: Go to a Linux Instance and connect to an AWS account using AWS CLI.

Step 2: Create a Folder called “NetworkFirewall” and go into the folder.

Step2

Step 3: Type Git init to initiate the Git repo to pull the code from GitHub.

Go to NetworkFirewall Folder

Step 4: Go to FirewallTerraform  Folder

Step4

Step 5: Here you can see the Files Folders.

File Main.tf

The use of main.tf file is used to put the code in Modular format.

Run the Below Code to see the code.

Step5

File Var.tf 

This File contains all the variables declared in the Terraform Code. The code Reusability is achieved here. If we change the values in the variable. We can use the same code to provision similar infrastructure.

Step5_b

File Provider.tf  This File contains the CloudProvider details..

Step5_c

Step 6: Now Go into the module Folder by running the below code.

Here you will see two folders, Firewall, and Networking. Here we are segregating the Resource to the provision in the AWS platform in a modular way. Go into each folder and check the Files present.

Step6

Step 7: Now Go back to the Folder where main.tf File is presently using the below command.

Execute the below Code

Initialize the terraform code.

Output: If no errors.

Step7

Execute the below code to preview the action Terraform would take to modify your Infrastructure.

Output: If not Errors.

Step7_b

Execute the below Code:

The terraform apply command performs a plan just like terraform plan does, but then actually carries out the planned changes to each resource using the relevant infrastructure provider’s API.

Step7_c

You will get the output in this way. Provisioning AWS Network Firewall using terraform started.

Step 8: Check and verify the newly provisioned resources in the AWS console.

VPC

VPC

Subnets

Subnets

Route Table

RouteTable

Internet Gateway

InternetGateway

Firewall

FireWall

Firewall Policy

Firewall_Policy

Firewall Rule Group

Firewall_Rulegroup

Step 9: Create an windows instance in Firewall-VPC in Resource subnet. Try to access the blocked domain name in the browser. You will find error page or page not found.

Step9

Step 10: Destroy the Infrastructure using the below command.

If you get any errors, Try again the same command.

6. Conclusion:

Provisioning infrastructure on the cloud using Terraform gives us more grip on the Infrastructure and fewer manual tasks. The configuration language is human-readable, making us write the infra code more quickly. This allows us to track resource changes or any updates throughout the deployment.

7. About CloudThat:

CloudThat is AWS (Amazon Web Services) Advanced Consulting Partner, AWS authorized Training Partner, Microsoft Gold Partner, and Winner of the Microsoft Asia Superstar Campaign for India: 2021.

We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere to advance in their businesses.

To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat‘s offerings. Then, you can quickly get in touch with our highly accomplished team of experts to carry out your migration needs. Feel free to drop a comment or any queries that you have about AWS Network Firewall, provisioning Network Firewall, or security, we will get back to you quickly.

8. FAQs:

Q1. What is the importance of making modules in the terraform?

Ans: Using modules we can create multiple and smaller terraform files. Which altogether makes a big terraform script. Updating and editing the code would become simpler and easier. We will be getting the possibility to Reuse the Code in many deployments

Q2. What are the capabilities, in terms of security for the services and workloads in AWS?

Ans: We have a few services like Security Groups, which provide security for the instance level. Network Control List, which provides the security for the Subnet level. AWS WAF provides the security for the workload or applications that are running on the CloudFront, load balancers, and API. AWS shield provides security against DDoS attacks.


Leave a Reply