Detailed Guide to Provision AWS Network Firewall using Terraform

Introduction

AWS Network Firewall is the recently launched, fully managed, highly available, and scalable managed network by AWS, providing security for the VPC’s workloads. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts. In the previous blog, we learned about detailed Manual Provisioning of AWS Network Firewall.

Today, we will automate the Provisioning of AWS Network Firewall using Infrastructure as a code DevOps Tool, i.e., Terraform.

Advantages of Terraform:

Terraform is an open-source Infrastructure-as-Code (IaC) software tool that enables us to create, update and improve Infrastructure in many Cloud Platforms like AWS, Azure, and GCP.
Terraform Support Reuse of the code.
We can Provision many numbers physical resources with a single command.
Terraform has Idempotent property. That is, the state of the infrastructure is saved in local machines. The second application results in 0 changes.

Learn more about Continuous Integration to Automate Terraform modules with GitHub Action as IaC Pipelines here.

Customized Cloud Solutions to Drive your Business Success

Cloud Migration
Devops
AIML & IoT

Know More

Prerequisites

Any Linux instances
AWS root account
Terraform should be Preinstalled in the Linux machine
AWS CLI

AWS Services Used

AWS Network Firewall
AWS Network Firewall policy
AWS Network Firewall Rule Groups
VPC
Subnets
Route Table
Internet Gateway
Windows instance

Deployment Architecture

Step by Step Guide to Execute the Terraform Code

We are going to Construct the Terraform code in the Linux machine in Modular Format then we execute the code using Terraform Commands.

Step 1: Go to a Linux Instance and connect to an AWS account using AWS CLI.

Step 2: Create a Folder called “NetworkFirewall” and go into the folder.

Step2

Step 3: Type Git init to initiate the Git repo to pull the code from GitHub.

Go to NetworkFirewall Folder

$ git init

$ git pull https://github.com/v-karthik-kumar/FirewallTerraform.git

$ git init

$ git pull https://github.com/v-karthik-kumar/FirewallTerraform.git

Step 4: Go to FirewallTerraform Folder

$ cd FirewallTerraform

1	$ cd FirewallTerraform

Step4

Step 5: Here you can see the Files Folders.

File Main.tf

The use of main.tf file is used to put the code in Modular format.

Run the Below Code to see the code.

$cat main.tf

1	$cat main.tf

Step5

File Var.tf

This File contains all the variables declared in the Terraform Code. The code Reusability is achieved here. If we change the values in the variable. We can use the same code to provision similar infrastructure.

Step5_b

File Provider.tf – This File contains the CloudProvider details.

Step5_c

Step 6: Now Go into the module Folder by running the below code.

$cd module

1	$cd module

Here you will see two folders, Firewall, and Networking. Here we are segregating the Resource to the provision in the AWS platform in a modular way. Go into each folder and check the Files present.

Step6

Step 7: Now Go back to the Folder where main.tf File is presently using the below command.

$ cd /home/NetworkFirewall/FirewallTerraform

1	$ cd /home/NetworkFirewall/FirewallTerraform

Execute the below Code

Initialize the terraform code.

$ terraform init

1	$ terraform init

Output: If no errors.

Step7

Execute the below code to preview the action Terraform would take to modify your Infrastructure.

$ terraform plan

1	$ terraform plan

Output: If not Errors.

Step7_b

Execute the below Code:

The terraform apply command performs a plan just like terraform plan does, but then actually carries out the planned changes to each resource using the relevant infrastructure provider’s API.

$ terraform apply --auto-approve

1	$ terraform apply --auto-approve

Step7_c

You will get the output in this way. Provisioning AWS Network Firewall using terraform started.

Step 8: Check and verify the newly provisioned resources in the AWS console.

VPC

VPC

Subnets

Subnets

Route Table

RouteTable

Internet Gateway

InternetGateway

Firewall

FireWall

Firewall Policy

Firewall_Policy

Firewall Rule Group

Firewall_Rulegroup

Step 9: Create an windows instance in Firewall-VPC in Resource subnet. Try to access the blocked domain name in the browser. You will find error page or page not found.

Step8

Step 10: Destroy the Infrastructure using the below command.

$ terraform destroy –auto-approve

1	$ terraform destroy –auto-approve

If you get any errors, Try again the same command.

Conclusion

Provisioning infrastructure on the cloud using Terraform gives us more grip on the infrastructure and fewer manual tasks. The configuration language is human-readable, making us write the infra code more quickly. This allows us to track resource changes or any updates throughout the deployment.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

Cloud Training
Customized Training
Experiential Learning

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding AWS Network Firewall, provisioning Network Firewall, or security, I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.

FAQs

1. What is the importance of making modules in the terraform?

ANS: – Using modules we can create multiple and smaller terraform files. Which altogether makes a big terraform script. Updating and editing the code would become simpler and easier. We will be getting the possibility to Reuse the Code in many deployments.

2. What are the capabilities, in terms of security for the services and workloads in AWS?

ANS: – We have a few services like Security Groups, which provide security for the instance level. Network Control List, which provides the security for the Subnet level. AWS WAF provides the security for the workload or applications that are running on the CloudFront, load balancers, and API. AWS shield provides security against DDoS attacks.

WRITTEN BY Karthik Kumar P V

Karthik Kumar Patro Voona is a Research Associate (Kubernetes) at CloudThat Technologies. He Holds Bachelor's degree in Information and Technology and has good programming knowledge of Python. He has experience in both AWS and Azure. He has a passion for Cloud-computing and DevOps. He has good working experience in Kubernetes and DevOps Tools like Terraform, Ansible, and Jenkins. He is a very good Team player, Adaptive and interested in exploring new technologies.