What is it?
AWS Network Firewall is a managed firewall service for our VPC. We can use Network Firewall to filter traffic at the perimeter of our VPC. Network Firewall includes filtering traffic going to and coming from IGW, NAT Gateway, VPN and Direct Connect.
Network Firewall components
- Firewall Policy
- Rule Group
Route Table Configuration
- Public subnet route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 0.0.0.0/0 (ANY) to the Firewall subnet. (figure-1)
- Firewall subnet route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 0.0.0.0/0 (ANY) to the Internet Gateway (IGW) (figure-2)
- IGW route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 10.100.2.0/24 to the Firewall subnet. (figure-3)
- TGW route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 10.100.2.0/24 to the Firewall subnet.
- Private subnet route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 0.0.0.0/0 (ANY) to the Firewall subnet.
In our example, we will only focus on the test-machine located in public subnet. Private subnet, NAT gateway and TGW are not covered in this example.
Let's configure the Route Tables.
- Permit SSH access to 10.100.2.10 (test machine in the public subnet) only from 18.104.22.168
- Block ICMP from 10.100.2.10 to 22.214.171.124
- Block access to example.net
- Permit everything else
Setup AWS Network Firewall
Firewall connects a firewall policy, which defines network traffic monitoring and filtering behaviour, to the VPC that we want to protect.
Let's create a Firewall.
An AWS Network Firewall firewall policy defines the monitoring and protection behaviour for a firewall. The details of the behaviour are defined in the rule groups that add to the policy.
I created a policy called
test-policy and associated with the Firewall we created in the previous step. The next step is to add some Rule Groups into it.
To create a Firewall Policy:
- In the navigation pane, under Network Firewall, choose Firewall policies.
- Choose Create firewall policy
A rule group is a reusable set of criteria for inspecting and handling network traffic. We can add one or more rule groups to a firewall policy as part of policy configuration.
- Stateless rule group - Network Firewall stateless rules engine examines each packet in isolation. It doesn't consider context such as traffic direction or traffic flow.
- Stateful rule group - Stateful rules engine examines the full state of active traffic. It does consider the complete context of traffic and data packets.
- Domain list rule group - We can create allow/deny lists with domain names that the stateful rules engine looks for in a packet.
I have also set the
stateless default actionto
forward to stateful rule groupso, any packet doesn't match the stateless rule group is sent out to the stateful rule group.
As you can see below pinging 126.96.36.199 and browsing example.net are getting blocked.
ubuntu@ip-10-100-2-10:~$ ping 188.8.131.52 PING 184.108.40.206 (220.127.116.11) 56(84) bytes of data. ^C --- 18.104.22.168 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2028ms ubuntu@ip-10-100-2-10:~$ ping 22.214.171.124 PING 126.96.36.199 (188.8.131.52) 56(84) bytes of data. 64 bytes from 184.108.40.206: icmp_seq=1 ttl=49 time=12.3 ms 64 bytes from 220.127.116.11: icmp_seq=2 ttl=49 time=14.6 ms 64 bytes from 18.104.22.168: icmp_seq=3 ttl=49 time=8.62 ms ^C --- 22.214.171.124 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 8.621/11.856/14.649/2.483 ms
ubuntu@ip-10-100-2-10:~$ links example.net Rquest sent <<< The page doesn't load
Logging and Monitoring
There are multiple ways where you can store and view the logs generated by the Networks Firewall. I will show you how to use CloudWatch in this example.
To send logs to CloudWatch:
- Create a CloudWatch Logs log group.
- Provide the log group name to the Network Firewall
- AWS Network Firewall now delivers logs to the CloudWatch log group in log streams.
- Each log stream contains an hour of log records.
As you can see below that the traffic to both
126.96.36.199 are blocked and the logs are stored in CloudWatch.
Thanks for reading.
As always, your feedback and comments are more than welcome.