There is no easier way to scale network security across all your resources in your workloads regardless of which AWS service you use.
So far, how the traffic is routed to the subnet is:
Whenever traffic comes from the internet, it is routed directly through the Internet Gateway to the subnet.
Any traffic going out of the subnet will go directly to IGW and route to the internet
There was no middleman or service to inspect the Internet gateway and subnet traffic
There was no capability to restrict the traffic to the specific URL
To solve this problem, AWS launched a new security service called Network Firewall, which provides network security to the user across all your resource workloads regardless of which AWS service you use
AWS Network Firewall is a highly available and scalable managed network by AWS, providing security for the VPC’s workloads
Network Firewall provides capability on URL filtering
How Traffic Flow inspection is Achieved:
The way Traffic Flow inspection is Achieved here is:
It will create a new subnet in our VPC in our availability zone in a particular region
It will create a VPC endpoint in the subnet called the firewall subnet
Whenever any traffic comes to the subnet or goes out of the subnet, the traffic is passed through the network Firewall subnet where the network firewall is present
It will inspect the traffic using the defined policies and rules described and pass the traffic in and out.
In this way, it provides VPC-level security
In this blog, we are going to deploy the Network Firewall according to the architecture below.
5. Deployment Architecture:
6. Overview of steps involved:
We are going to create a Network Firewall inside the firewall subnet, and One windows EC2 instance in the main public subnet. we are going to restrict the traffic coming from the URL. Then SSH into the instance and check whether the URL is opening in the browse or not.
Before Beginning the Firewall creation, make sure there should be a few resources created like:
Two subnets, one for Main resource allocation and one for Network Firewall, respectively
3 Route tables, one for Internet gateway, one for the Main subnet, one for Network Firewall
Please follow the values of Ip addresses given in the Architecture diagram to avoid confusion.
7. Step by Step Guide to Provisioning AWS Network Firewall:
Step 1: Go to the AWS console and go to the VPC page. Select the Network Firewall Rule policy
Step 2: Select Create Network Rule policy
Here, you can see there are two Rule Groups
The traffic is evaluated whenever the traffic comes into the subnet. It won’t be evaluated when traffic comes out from the subnet
The traffic will be evaluated in both directions
You can see there are three types of rules in the stateful rule group.
We have three options:
2: Domain list
3: Suricata computable IPS rules
In 5-tupple you need to provide the below options:
Transport protocol. Choose the protocol that you want to inspect. For all protocols, you can use IP, because all traffic on AWS and on the internet is IP
2: source Ip
Source Ip and Range. Traffic should come from the source address provided in the list
3: Source port:
Source ports and port ranges. If specified, a packet must have a source port that’s included in this list to match
Destination IP addresses and ranges. If specified, a packet must have a destination address that’s included in this list to match
5: Destination Port:
Destination ports and port ranges. If specified, a packet must have a destination port that’s included in this list to match
packets whose origination matches the rule’s destination settings, and whose destination matches the rule’s source settings
Any traffic whose origination matches with the rule’s source setting and destination matches with the destination port mentioned in the rule setting will be forwarded.
1: Pass (the traffic will be allowed)
2: Drop (the traffic will be denied)
3: Alert (alert will be initiated in log groups or in CloudWatch)
In DOMAINLIST you need to provide details for the below option
Domain Name Source
provide the URL of the website to which we need to block the traffic
Choose the protocol either HTTP or HTTPS
Choose the option to Allow or Deny
Coming to STATELESS RULES:
Need to provide details for:
In ADD Rule
You will get the Same options in stateless rules like stateful rule.
Lower priority rule will be evaluated first than the higher priority rules.
NOTE: If any rule is evaluated and matched, then it won’t evaluate any further rules.
Choose according to the above-mentioned rules what Action you want to. take.
Step 3: Select Stateful Rules Option. There Select Domain list option.
Step 4: Here provide the name “Stateful-Rule”. Provide “cloudthat.com” in the domain name source.
Provide the Firewall subnet CIDR value in the source range.
Select Create Stateful rule group below
Step 5: Create Firewall Policies. Give any name, Click Next.
Step 6: In Add rule Groups, scroll down to the stateful group section, and add the Stateful group created in step 4. Add Rule Groups. Select the Stateful-Rule And click Add Rule Groups.
Step 7: Select Next, Again Next. Finally, create the Network policy.
Step 8: Create Network Firewall. Select The Network policy we created in the above steps. Give A name to Firewall.
Select VPC main. Provide the availability zone as us-east
-2a. Select Firewall subnet.
Select the Associate an Existing Firewall policy radio button and select your Network policy created in step 7. Click Create Firewall.
Step 9: Make sure You have done the subnet associated with the respective route table.
That is, Associate main subnet with main route table and Firewall subnet with firewall route table.
Provision one Internet Gateway and attach it with the Main VPC.
Step 10: Create on windows instance in the main subnet and browse for cloudthat.com.
Step 11: Now, edit the routes in the routing table. Attach the IGW route to the firewall subnet and attach a copy network interface from the endpoint to the Main subnet.
Create one Route table with the name “internet-gateway-route-table.”
Add internet gateway in edge association of the “internet-gateway-route-table” route table created before.
Add Main subnet CIDR value in Destination and VPC network interface in the target in the “internet-gateway-route-table.”
Routes of IGW route table.
Routes of Firewall route table
Route of the main route table
Edge association of IGW route table.
Thus, we have configured the routes in such a way that, any traffic that comes to the main subnet from the internet gateway should pass through the Firewall subnet and vice versa.
Now check the Cloudthat.com in windows instance.
Successfully we blocked the traffic from that site.
AWS Network Firewall decreases the risk to the internal network and workloads, providing better security for the services to keep it private. I hope that this post helped clarify the Concepts of the AWS Network Firewall.
9. About CloudThat:
CloudThatis AWS (Amazon Web Services) Advanced Consulting Partner, AWS authorized Training Partner, Microsoft Gold Partner, and Winner of the Microsoft Asia Superstar Campaign for India: 2021.
We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere to advance in their businesses.
To get started, go through our Expert Advisorypage andManaged Services Packagethat isCloudThat’s offerings. Then, you can quickly get in touch with our highly accomplished team of experts to carry out your migration needs. Feel free to drop a comment or any queries that you have about AWS Network Firewall, provisioning Network Firewall, or security, we will get back to you quickly.
Q1. What is an important advantage of AWS Network Firewall?
Ans: AWS Network Firewall is an intrusion protection service where Inspection of the Inbound traffic will be going to achieve at the entrance, that is before the traffic reach the subnet.
Q2. What are the capabilities, in terms of security for the services and workloads in AWS?
Ans: We have a few services like Security Groups, which provide security for the instance level. Network Control List, which provides the security for the Subnet level. AWS WAF provides the security for the workload or applications that are running on the CloudFront, load balancers, and API. AWS shield provides security against DDoS attacks.
Karthik Kumar Patro Voona is a Research Associate (Kubernetes) at CloudThat Technologies. He Holds Bachelor's degree in Information and Technology and has good programming knowledge of Python. He has experience in both AWS and Azure. He has a passion for Cloud-computing and DevOps. He has good working experience in Kubernetes and DevOps Tools like Terraform, Ansible, and Jenkins. He is a very good Team player, Adaptive and interested in exploring new technologies.