Yash Pimple's Blog
Secure Your AWS Infrastructure: A Step-by-Step Guide to AWS Network Firewall

Secure Your AWS Infrastructure: A Step-by-Step Guide to AWS Network Firewall

Strengthen Your Cloud Defense Using AWS Network Firewall

Yash Pimple's photo
Yash Pimple
·

11 min read

Table of contents

Hello everyone! 👋

Welcome to another exciting blog about AWS! In this blog, we’ll explore AWS Network Firewall, a powerful service designed to secure your cloud infrastructure. I’ll walk through a hands-on demo to understand and configure the AWS Network Firewall that is simple and effective.

💡
Before we jump in, make sure you have an AWS Free Tier account ready to follow along.

In this blog, I’ll cover everything from configuring firewall policies to securing your VPC and managing network traffic. By the end, you’ll know how to build a secure and reliable network for your AWS environment. So without further ado, let’s get started!

What is an AWS Network Firewall?

AWS Network Firewall is a fully managed service designed to protect your VPC by enabling traffic filtering and inspection based on user-defined rules. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect.

Here are some key features of the AWS Network Firewall:

  • High Availability: Automatically scales to handle varying traffic loads.

  • Ease of Management: Managed service with simple setup and monitoring.

  • Advanced Inspection: Perform deep packet inspection on traffic entering or leaving your VPC.

Core Components of AWS Network Firewall

AWS Network Firewall operates using a combination of stateless and stateful traffic inspection engines, which are configured through three central components: Rule Groups, Firewall Policies, and the Firewall itself. Together, these elements enable flexible and robust network traffic management for the VPC.

  1. Network Firewall Rule Groups: Rule Groups define the criteria for inspecting network traffic and dictate how packets or traffic flows are handled when they meet the inspection criteria. These groups are the building blocks of your firewall's rules and come in two types:

    • Stateless Rule Groups: Stateless rules evaluate packets individually, independent of any prior network activity. They are ideal for simple filtering tasks based on IP addresses, ports, and protocols.

      Example Use Case:
      Allow HTTP traffic (TCP port 80) from any source while blocking traffic from a specific IP range.

    • Stateful Rule Groups: Stateful rules maintain context about active network sessions, allowing for deep packet inspection and complex filtering scenarios.

      Key Stateful Rule Types:

      1. Standard Rules: Define rules based on IP, protocol, and port.

      2. Domain List Rules: Filter traffic based on domain names to block or allow.

      3. Suricata Compatible Strings: Leverage the open-source Suricata engine for advanced intrusion detection and prevention.

Example Use Case:
Block access to malicious domains using a predefined domain list.

  1. Firewall Policies: Firewall Policies organize rule groups into a unified set of filtering behaviors. These policies define:

    • The priority and order of rule group application.

    • Policy-level behaviors, such as default traffic handling actions.

A single Firewall Policy can be applied across multiple firewalls, allowing for consistency in security configurations.

  1. Firewall: The Firewall acts as the enforcement point, connecting the inspection rules defined in the Firewall Policy to VPC. Additionally gets deploys in your VPC to enforce the policies and inspect traffic.

Important Note: The firewall endpoint cannot inspect traffic within its hosting subnet but can protect any other subnet in the VPC.

Scenario

For this demonstration, we will deploy a single-zone architecture featuring an AWS Network Firewall integrated with a Virtual Private Cloud (VPC). The demo will showcase the use of stateful rule groups (specifically, Domain List rules) to block traffic from a specific domain (e.g., www.amazon.com).
I’ll through configuring the VPC, setting up Firewall and Customer Subnets, and deploying an Internet Gateway, all while leveraging AWS Network Firewall's robust traffic inspection capabilities. Let’s dive in and get hands-on with this architecture!

  1. Setting up VPC

Let's initiate the process by establishing a VPC (Virtual Private Connection) for our hands-on demonstration.

  • In the AWS Management Console, locate and access the VPC dashboard, which is the central hub for configuring your network settings.

  • Further, Click on "Create VPC" to commence the VPC creation process.

  • In the ensuing form, provide essential details for your VPC:

    • Name: Choose a meaningful name, for the demo we are using test-vpc.

    • IPv4 CIDR Block: Specify the IP range for your VPC, for example, 11.0.0.0/16.

    • Further, Adjust other settings as per your requirements.

    • Click "Create VPC" to finalize the setup. Your VPC will be created promptly and will be ready for use.

  1. Setting up Internet Gateway

    • In the AWS Management Console, access the "Internet Gateways" section by typing "Internet Gateways" into the search bar and selecting the corresponding result.

    • Click on "Create Internet Gateway" and assign it a meaningful name. For our demonstration, let's name it "test-igw." Confirm the creation and your Internet Gateway is ready.

    • Further, we need to attach the Internet Gateway to our VPC. Under "Actions," tab select "Attach to VPC"

    • In the dropdown menu, choose the VPC you want to associate with the Internet Gateway. For our demo, we will link "test-igw" to our recently created "test-vpc."

    • Further, click on "Attach Internet Gateway," finalizing the association between the Internet Gateway and your VPC. This step is crucial for enabling communication between your VPC and the internet.

  2. The next step is to set subnets

    • Open the AWS VPC Dashboard, Click on "Subnets" in the VPC Dashboard, and initiate the creation of subnets to segregate your network traffic efficiently.

    • Click the "Create Subnet" button to initiate the creation of a new subnet. For our demo, we gonna create two subnets name Customer Subnet and Firewall Subnet. Both should specify the relevant details including the VPC name and CIDR block. Start but defining the CIDR blocks for your subnets, ensuring that they fall within the range of 11.0.0.0/16 to 11.0.3.0/24. This allows for a total of 256 IP addresses in each subnet. Additionally, make sure to assign the subnets in same availability zones

    • Review your subnet configurations and click the "Create Subnet" button to confirm the creation. You'll now have successfully established subnets within your VPC, providing the necessary segmentation for your network resources.

  3. Set Up Network Firewall Rule Group

    • In the AWS VPC Dashboard Navigate to Network Firewall, Click on "Network Firewall rule groups".

    • Create a Stateful Rule Group:

      • Click Create Rule Group to start the setup.

      • In the Rule Group Type section, choose Stateful to enable deep packet inspection and maintain traffic session context.

      • Under Rule Group Format, choose Domain List to filter traffic based on domain names.

    • Describe Rule Group Details:

      • Name: Provide a meaningful name for the rule group (e.g. stateful-rule-group).

      • Description: Optionally, add a description for clarity.

      • Capacity: Set the desired rule group capacity (e.g., 100).

        Note: Rule group capacity determines the maximum number of rules allowed within the group. Plan accordingly for future needs.

    • Configure Rule

      • In the domain list, enter the domains which you want to block. For our demo, we would use www.amazon.com

      • For the Action, Select Deny. Since we want to Block any traffic to amazon.com

        Tip: Use wildcards (*.example.com) to block all subdomains under a specific domain.

    • Configure advanced settings

      • Rest keep the Configuration to default and Click on “Review and Create

  1. Create Firewall policy

    The firewall policy defines the behavior of your AWS Network Firewall and is crucial for managing traffic inspection and handling rules. Follow these steps to accurately configure your firewall policy:

    • In the Network Firewall Section, Click on "Firewall Policies" and then click on "Create Firewall Policy".

    • Describe Firewall Policy

      • Name: Enter a unique name for your firewall policy (e.g., test-firewall-policy) and Provide a meaningful description to help identify the policy.

      • Further, for the Stream exception policy Choose "Reject" for a failsafe approach that ensures unintentional traffic doesn't pass through the VPC.

    • Add Rule Groups

      • Attach existing Stateful rule groups which we created prior in the above step to define traffic inspection rules and Click on “Next

  • Configure Advanced Settings

    • Modify any additional firewall parameters, such as log destinations, as per your requirements(if needed).

  • Add TLS Inspection Configuration

    • If TLS inspection is needed, configure the required settings here.

      Note: TLS inspection allows decryption and inspection of encrypted traffic.

  • Review and Create

    • Carefully review all configurations.

    • Once satisfied, click Create Firewall Policy to save and apply your settings.

  1. Create Firewall

    In this step, you will define firewall settings to ensure proper network security for our AWS resources.

    • Firewall Details

      • Start with entering a unique name for the firewall with a proper description

    • Configure VPC and Subnets

      • Choose the VPC in which you want to create the firewall. For this example, we are using the VPC named test-vpc.

      • Navigate to the VPC selection dropdown and choose test-vpc or the appropriate VPC for your environment.

      • Make sure to select the subnet dedicated to the firewall. This is the subnet where the firewall will be deployed. Additionally, Choose the IP address type as IPv4 for the firewall.

    • Associated firewall policy

      • Under the "Firewall Policy" section, choose the option to Associate an existing firewall policy.

      • Select the firewall policy you created earlier, such as test-firewall-policy, to apply the pre-configured security rules to the firewall.

    • Review and Create

      • Carefully review all configurations.

      • Once satisfied, click Create Firewall to save and apply your settings.

By following these clear and structured steps, you will have successfully created your AWS firewall, ensuring that your resources are properly protected.

  1. Create Route Table

    A Route Table in AWS is a set of rules (routes) used to determine where network traffic is directed within a Virtual Private Cloud (VPC). Overall we will be creating three route table names Firewall-route-table, customer-route-table, and IGW-route-table.

    • Create a Firewall Route Table

      • Navigate to the "Route Tables" section in the AWS VPC Dashboard.

      • Click "Create Route Table" and name it firewall-route-table.

      • Select your VPC, test-vpc.

    • Associate with Firewall Subnet: Under Subnet Associations, click "Edit Subnet Associations".

      • Associate the firewall-route-table with the Firewall Subnet to ensure that traffic is routed through the firewall.

    • Edit Routes:

      • Go to the Routes section and click "Edit Routes".

      • Add a new route:

        • Destination: 0.0.0.0/0

        • Target: Internet Gateway (IGW)

  • This ensures that traffic from the internet is directed to the firewall subnet where the firewall is deployed.

    • Create a Customer Route Table

  • Click "Create Route Table" and name it customer-route-table.

  • Select the same VPC, test-vpc.

  • Associate with Customer Subnet: Under Subnet Associations, click "Edit Subnet Associations".

    • Associate customer-route-table with the Customer Subnet to route traffic accordingly.

  • Edit Routes:

    Go to the Routes section and click "Edit Routes".

    • Add a new route:

      • Destination: 0.0.0.0/0

      • Target: Firewall Subnet

  • This ensures that all outbound traffic from the customer subnet flows through the firewall subnet.

  • Create IGW Route Table

      • Click "Create Route Table" and name it IGW-route-table.

        • Select your VPC, test-vpc.

    • Associate with Internet Gateway (IGW):

      • Under Edge Associations, click "Edit Edge Associations".

      • Select Internet Gateway (IGW) and click Save Changes. This ensures that the route table is linked to the internet gateway.

    • Edit Routes:

      • Go to the Routes section and click "Edit Routes".

      • Add a new route:

        • Destination: Customer Subnet's IPv4 CIDR

        • Target: Firewall Subnet

  • This ensures that traffic from the customer subnet to the internet flows through the firewall.

  1. Configuring EC2 instance

    • Now we will proceed to the EC2 Dashboard and launch a new instance within our test-vpc. This instance will serve as part of our application infrastructure.

    • Click on the "Launch Instance" button to initiate the instance creation process. For our demonstration purposes, we will name the instance as "test-instance". Choose the Ubuntu as the operating system for the instance.

    • Further, create a new key-value pair for secure SSH access. This key pair ensures secure communication with your EC2 instance

    • For Networking, click on "Edit" to configure the instance within our test-vpc. Ensure the proper selection of subnets to align with your VPC settings. Additionally, we need to also create security groups that allow inbound traffic for SSH, HTTP, and HTTPS. This ensures controlled and secure access to your instance.

    • Once satisfied, click Create Instance.

  2. Connecting to our Instances

    To connect to your instance, follow these steps:

    • SSH Command: Use the ssh command to connect to the instance. Replace "test.pem" with your actual private key file, and <ip> with the public IP address of your instance:

        ssh -i "test.pem" ubuntu@<ip>

      Note: If you're using a different Linux distribution, the default username may vary (e.g., ec2-user for Amazon Linux, ubuntu for Ubuntu).

    • Once connected to the instance, you can test the network connectivity by running the following commands: First, try curl google.com:

        ubuntu@ip-11-0-1-41:~$ curl -I https://www.google.com

      You should receive a successful response from Google.

    • Next, try to curl amazon.com:

        curl -I https://www.amazon.com

    • This request will be blocked by the AWS Network Firewall, which is configured to restrict traffic to certain websites (like Amazon). The response will indicate that the connection was refused or timed out, confirming that the firewall is actively filtering traffic

      %[giphy.com/gifs/cbc-schittscreek-schitts-cre..

Conclusion:

In this demo, we configured the AWS Network Firewall to secure our AWS environment by controlling traffic flow and blocking unwanted access. We created and associated firewall policies, configured route tables, and implemented advanced security settings like KMS encryption and change protection. With AWS Network Firewall, we’ve established a robust network perimeter, ensuring that only authorized traffic reaches our resources. This setup provides enhanced security and better control over the traffic in your AWS infrastructure.

Connect with me on Twitter, LinkedIn, and GitHub to stay up-to-date with my latest blog posts and hands-on tutorials.

AWSSecurityCloudnetworkingAWSCommunity