Read on:

AWS for Beginners: What is AWS Transit Gateway and How it works: Part 22

What is AWS Network Firewall? How does it protect from attacks?

A fully managed Network firewall solution provided by AWS. It inspects all east-west or north-south network traffic. All traffic originated from AWS to the internet or destined to AWS from the internet is inspected. Meanwhile, all traffic travels to your on-premises network or from your on-premises network is also inspected.Traffic between VPC to VPC is inspected. It’s a stateful and managed network firewall which also provide intrusion detection and prevention for AWS VPCs.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

How AWS Network Firewall works?

With AWS Network Firewall, you can define firewall rules that provide fine-grained control over network traffic. Network Firewall works together with AWS Firewall Manager so you can build policies based on Network Firewall rules and then centrally apply those policies across your virtual private clouds (VPCs) and accounts.

AWS Network Firewall

Diagram taken from AWS Documentation.

Use cases

  1. Traffic can be Inspected and filtered from VPC to VPC. Let’s take an example you have PCI data in some VPCs and Non-PCI data in some other VPCs. You can create policies to logically separate the traffics.
  2. You can Inspect and filter all outbound internet traffic.
  3. Prevent and filter inbound internet traffic.
  4. You can inspect your traffic coming from on-premises over direct connect or site to site VPN.

Architecture to follow

Download Banner

Firewall subnet: A dedicated subnets for AWS network firewall to provision firewall endpoint in your VPC. Don’t use firewall subnet for any other resource as it’s not inspected or filtered by Network Firewall.

Network Firewall: A resource provides traffic filtering and inspection logic for the subnets.

Network Firewall policy: A resource that defines rules and other settings for a firewall to use.

Network Firewall Rule Group: A set of rules created in the firewall. Once the rules match network firewall will take action.

Stateless rule: Criteria for inspecting a single network traffic flow packet without having any information related other packet in the traffic flow and the direction of the flow.

Stateful rule: Criteria for inspecting network traffic packets in the context of their traffic flow.

Pre-requisite

  1. AWS Account with proper permission
  2. 1 VPC with 2 subnets (Application and Firewall) in each availability zone
  3. 1 internet gateway and attach it to a route table
  4. 1 Ec2 Instance in each Application subnet

AWS Network Firewall

Internet Gateway

AWS Network Firewall

AWS Network Firewall

Route table for each subnet

AWS Network Firewall

Steps to create AWS Firewall

  1. Configure the VPC subnets for your firewall endpoints: Create a separate subnet for firewall in each availability zone of your VPC in which you want to create the Firewall endpoint or get inspected.
  2. Create the Firewall Rule Group: Create the stateless and stateful rules for your firewall. Managed rule groups are collections of predefined, ready-to-use rules that AWS writes and maintains for you.
  3. Configure the Firewall Policy: Define the firewall policy for your firewall by specifying its rule groups.
  4. Create the Firewall: Create a Network Firewall and provide all the firewall subnet details.
  5. Modify your subnet route tables to include the firewall: Update your subnet route table to have routes towards Network firewall endpoint. All traffic to and forth will be inspected.

Configure the VPC subnets for your firewall endpoints

  1. Navigate to Subnet section under VPC. Create subnet in each availability zone. Do not provision any resources under that subnet. This subnet is not going to inspected by the Firewall.
  2. This step has been completed as pre requisite.

Create the Firewall Rule Group

  1. Navigate to Network Firewall under VPC section, click on create Network firewall Rule group.
  2. Choose stateful rule group, provide a name, Capacity 10.
  3. AWS Network Firewall

  4. Choose 5-tuple as Stateful rule group option and choose Default for stateful rule order
  5. AWS Network Firewall

  6. Under Add rule section choose protocol as ICMP, Source any and destination is our VPC range. All incoming ICMP traffic is going to drop.
  7. AWS Network Firewall

  8. Choose Traffic direction Forward and Action as Drop. Click on Add rule. You can add required rule under the rule group.
  9. AWS Network Firewall

  10. Click on create Rule group.

AWS Network Firewall

Stateful Rule Group options

  • 5-tuple: Use the 5-tuple format, specifying the source IP, source port, destination IP, destination port, and protocol. Specify the action to take for matching traffic.
  • Domain List: Specify a list of domain names and the action to take for traffic that tries to access one of the domains.
  • Suricata Compatible IPS rules: Intrusion prevention system (IPS) rules – Provide advanced firewall rules using Suricata rule syntax. Suricata is an open-source network IPS that includes a standard rule-based language for traffic inspection.

Configure the Firewall Policy

  • Navigate to Network Firewall under VPC section, click on create Network firewall Policies.
  • Provide a name, Choose the Stream exception policy as Drop, click on next
  • AWS Network Firewall

  • Under Add rule groups, keep all parameter as default and add the stateful rule created earlier
  • AWS Network Firewall

  • Keep everything else as default and click on create Firewall policy.

AWS Network Firewall

Note: Stateless default Action. There are options how the Firewall is going to handle if the packet doesn’t match the stateless rule.

AWS Network Firewall

Create the Firewall

  1. Navigate to Network Firewall under VPC section, click on create Network firewall.
  2. Provide a Name, Choose the VPC, Choose the subnets for each availability zone created earlier.
  3. AWS Network Firewall

  4. Associate the created Firewall policy and choose the respective change protections
  5. AWS Network Firewall

  6. Click on Create Firewall

AWS Network Firewall

Modify your subnet route tables to include the firewall

  1. Navigate the Route table section under VPC, Click on the Application subnet Route tables. Edit as below

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

All subnet route tables are updated. All traffic from the Internet or to internet or between subnet to subnet will flow via Firewall.

Testing

AWS Network Firewall

We have 3 Rules. Means No one can ping the servers from Internet. The systems can internally ping each other. The Internal systems can ping Google.com(8.8.8.8) but not 8.8.4.4

Login to Application Instance 1

First Ping 8.8.8.8 . The Ping is successful.

AWS Network Firewall

Second Ping 8.8.4.4 . The traffic is dropping because of the Firewall.

AWS Network Firewall

Conclusion

Network Firewall helps in filtering the traffic from the internet or to the internet. It also provides IPS and IDS capabilities. Network Firewall also helps inspect all the traffic between VPCs, subnets and on-premises. It’s a managed firewall which provides scalability, durability and high availability.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post