How to build an AWS Network Firewall environment
With this blog article on 17th November 2020 was released a new service that in my opinion changes the firewall world in the AWS Cloud.
Intro AWS Network Firewall
The service is really powerful and complex, and it can bring the AWS Firewall to a new era.
Before this service was created you have only Security Group and Network Access control list. These 2 possibility are ok for most of the cases, but it Is possible for some high security environment you need something more advanced.
When you should use it:
The possibilities are multiples and still I haven’t explored all but the ones I immediately like are:
- Explicit Deny Traffic also on stateful firewall rules. With a traditional Security Group, you cannot Deny traffic but only Allow and rely on default Deny at the end. If you want to Deny Traffic you need to use the NACL that are stateless and works only at Subnet level.
- Filter by URL domain. In the traditional approach for private subnets you use a NAT Gateway to access to the internet but you cannot filter which domains you can access and which not. Sure you can build your how custom SQUID but you need to manage and solve many issues that in this case will be done by AWS. This is what we will see in action.
- Suricata power. As it is explain in the blog page with Suricata rules you can detect advanced threats like port misuse <<ALERT TCP port 22 but not SSH>>.
- Forwarding from Stateless to Stateful rules and possibility to further customization and Alert.
The Routing
Before starting using the AWS Network Firewall, it’s important to understand that the concept of routing is completely changed.
There is a new kind of route table to understand and modify and it is the one associated with the Internet Gateway.
As you can see from the below image there is now an Edge Association, from internet Gateway to the Gateway Load balancer endpoint created together with the AWS Network Firewall.
I the official documentation at this page there are 3 network examples that it is useful to read and understand.
- Simple single-zone architecture with an internet gateway
- Multi-zone architecture with an internet gateway
- Architecture with an internet gateway and a NAT gateway. This is the one we use in this how-to also because it is the more articulated and once you understood this all the others are much easier.
Using the Terraform module example that you will find below, you don’t need to setup anything to have a test but it is important to understand all the steps to be able to modify the routing for your use case.
In this example, it was intentionally used only 1 Availability Zone to have a simple environment, of course in a real scenario you need to have at least 2 AZs.
Components
It is important to understand all the components of this new AWS Network Firewall, visible from the VPC Web Console.
- Firewalls are the network Firewall itself, every time is created also an Endpoint of Gateway Load Balancer type is created, this is also the one that finishes in the routing tables.
- Firewall Policies: it is associated with the Firewall and it is a container for the firewall rules. It the policy there is also the “Stateless default actions”
- Network Firewall rule groups: are the rules, split into 2 groups Stateless and Stateful.
Rules:
The first rule your packet will hit on is always stateless and it can be a pass, drop, or forward to stateful rules.
In my example I setup the stateless rule to forward to stateful everything that is TCP.
There are 3 options for Stateful rules:
- 5-tuple ==> classic IP port protocol
- domain list ==> allow access in egress to a domain
- suricate IPS rules ==> suricate rules for advanced protection look their website
In my example I configured only two domains:
- .amazonaws.com with the dot that works as a * to have access to any service on the AWS world.
- gazzetta.it for testing with curl
Terraform Module POC for AWS Network Firewall
I created this module in Terraform so you can do the test as well and also you can start from there and customize it for your environment.
I publish the code on the terraform registry on this page
To run in your environment you can do it like that and in few minutes you can have a working POC.
module "network_firewall_pocv2" {
source = "giuseppeborgese/network-firewall-poc/aws"
project_name = "terr_net_fw_test"
vpc_cidr_block = "172.16.0.0/16"
cidr_pub_no_restriction = "172.16.0.0/24"
cidr_pub_nat_gw = "172.16.1.0/24"
cidr_private = "172.16.2.0/24"
}
Session Manager Test
I placed in the private subnet an EC2 with image Amazon Linux 2 AMI and a role with this policy attached.
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
In this way, I can login using Session Manager inside the System Manager service and once that I’m inside I can do some test curl and see that:
- I can access to gazzetta.it BUT not to www.gazzetta.it because there isn’t a dot on the domain URL
- the https://registry.terraform.io is dropped
- every endpoint in AWS is allowed for example ssm.us-west-2.amazonaws.com got the response that means the domain is reachable.
Youtube Demo
You can continue to learn about Network Firewall reading this interesting article about Deployment models
Feedback
If you like this article, and you want to motivate me to continue to write, please:
- leave a comment on the article and on the youtube video
- clap here in medium and on the youtube video
- connect with me on LinkedIn
- subscribe to my youtube channel AWS Tutorials — Giuseppe Borgese