AWS Network Firewall

by arun danielin Firewallon Posted on

Centralized Model

Introduction

Do you have a multi-VPC AWS environment with multiple ingress and egress points? Do you want to consolidate your blast radius (and in turn costs) in such a way that you would like to inspect all ingress and egress traffic related to your AWS environment through a centralized model? In this post, I will walk through the steps to accelerate your centralized deployment of AWS Network Firewall with Transit Gateway.

Logical Diagram

Concepts

VPC

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Subnets

A subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting. AWS provides two types of subnetting one is Public which allow the internet to access the machine and another is private which is hidden from the internet.

VPC Route Tables

A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed. A route table tells network packets which way they need to go to get to their destination.

Internet Gateway

An Internet Gateway is a  VPC component that is a highly available component that allows the resources in the VPC to communicate to the internet.

NAT Gateway

NAT Gateway is used for “Network Address Translation”. For secured resources in a private subnet that needs to connect to the internet (for security patches, updates, etc.) but not public facing (the internet initiates the connection), the NAT Gateway sitting in the public subnet will be used.

Transit Gateway

A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks.

Transit Gateway Attachment

A transit gateway attachment is a component that connects your VPCs or on-premise networks to a transit gateway.

Transit Gateway Route Table

A transit gateway has a default route table and can optionally have additional route tables. A route table includes dynamic and static routes that decide the next hop based on the destination IP address of the packet. The target of these routes could be any transit gateway attachment.

Transit Gateway Route Table Association

Each attachment is associated with exactly one route table. Each route table can be associated with zero to many attachments.

Transit Gateway Route Propagation

A VPC, VPN connection, or Direct Connect gateway can dynamically propagate routes to a transit gateway route table. With a Connect attachment, the routes are propagated to a transit gateway route table by default. With a VPC, you must create static routes to send traffic to the transit gateway. With a VPN connection or a Direct Connect gateway, routes are propagated from the transit gateway to your on-premises router using Border Gateway Protocol (BGP). With a peering attachment, you must create a static route in the transit gateway route table to point to the peering attachment.

North-South Traffic

Type of network traffic flow pattern where traffic leaves the AWS environment destined for outside networks or comes into AWS from outside networks.

East-West Traffic

Type of network traffic flow pattern where traffic stays within AWS but between VPCs.

Creation

*all items below are for demonstration purposes; you should always use best practice and have resiliency where applicable*

Transit Gateway

  • Create transit gateway

Inspection VPC

  • Create VPC
  • Create two subnets
    • Firewall subnet
      • Subnet holding the firewall endpoint
    • Transit Gateway subnet
      • Subnet attached to the Transit Gateway for routing outside the VPC
  • Attach VPC to Transit Gateway using the Transit Gateway subnet
  • Create network firewall and place in firewall subnet
  • Create two route tables
    • Firewall subnet route table
      • Route 0.0.0.0/0 to Transit Gateway
      • Associate Firewall subnet to this route table
    • Transit Gateway subnet route table
      • Route 0.0.0.0/0 to firewall endpoint obtained from Firewall creation
      • Associate transit gateway subnet to this route table

Egress VPC

  • Create VPC
  • Create two subnets
    • Public subnet
      • Subnet holding the NAT Gateway
    • Transit Gateway subnet
      • Subnet attached to the Transit Gateway for routing outside the VPC
  • Attach VPC to Transit Gateway using the Transit Gateway subnet
  • Create NAT Gateway and place in public subnet
  • Create Internet Gateway and attach to the VPC
  • Create two route tables
    • Public subnet route table
      • Route 0.0.0.0/0 to Internet Gateway
      • Associate Public subnet to this route table
    • Transit Gateway subnet route table
      • Route 0.0.0.0/0 to NAT Gateway
      • Associate transit gateway subnet to this route table

Ingress VPC

  • Create VPC
  • Create two subnets
    • Public subnet 1
      • For load balancers, you will need a minimum of two subnets; this will be the first
    • Public subnet 2
      • For load balancers, you will need a minimum of two subnets; this will be the second
  • Attach VPC to Transit Gateway using both subnets
  • Create Internet Gateway and attach to the VPC
  • Create one route table
    • Public subnet route table
      • Route 0.0.0.0/0 to Transit Gateway
      • Associate both public subnets to this route table

PRD VPC

  • Create VPC
  • Create one subnet
    • Transit Gateway subnet
      • Subnet attached to the Transit Gateway for routing outside the VPC
  • Attach VPC to Transit Gateway using the Transit Gateway subnet
  • Create one route tables
    • Transit Gateway subnet route table
      • Route 0.0.0.0/0 to Transit Gateway
      • Associate transit gateway subnet to this route table

STG VPC

  • Create VPC
  • Create one subnet
    • Transit Gateway subnet
      • Subnet attached to the Transit Gateway for routing outside the VPC
  • Attach VPC to Transit Gateway using the Transit Gateway subnet
  • Create one route tables
    • Transit Gateway subnet route table
      • Route 0.0.0.0/0 to Transit Gateway
      • Associate transit gateway subnet to this route table

UAT VPC

  • Create VPC
  • Create one subnet
    • Transit Gateway subnet
      • Subnet attached to the Transit Gateway for routing outside the VPC
  • Attach VPC to Transit Gateway using the Transit Gateway subnet
  • Create one route tables
    • Transit Gateway subnet route table
      • Route 0.0.0.0/0 to Transit Gateway
      • Associate transit gateway subnet to this route table

Transit Gateway Route Tables

Each VPC attachment will result in a different Transit Gateway Attachment. You will use this attachment to get over to the respective VPC.

Firewall Transit Gateway Route Table

  • Propagation/Routing
    • Allow propagation for all VPCs which will result in automatic routes to be placed for VPC destinations using the respective attachment
    • Create a static route of 0.0.0.0/0 to the Egress VPC attachment for all outbound Internet traffic
  • Association
    • Associate this transit gateway route table to your Inspection VPC attachment

Spoke Transit Gateway Route Table

  • Propagation/Routing
    • Do not allow any propagation
    • Create a static route of 0.0.0.0/0 to the Inspection VPC attachment so all traffic will go through inspection
  • Association
    • Associate this transit gateway route table to all VPCs, excluding the Inspection VPC

Traffic Flow Diagram

North-South

Outbound From VPCs to Internet or VPN

  • Traffic from private subnets within a VPC is routed through Transit Gateway
  • Traffic moves to the Inspection VPC and the AWS Network Firewall
  • Traffic is routed back through the Transit Gateway
  • Traffic is routed through the Egress VPC and the NAT gateway that performs network address translation (NAT) for the traffic that flows out to the internet via the Internet Gateway.

This architecture is for outbound connections only, as the NAT gateway cannot accept inbound connections from the internet.

Inbound From Internet to VPCs

  • Traffic from the Internet (via Route 53 or other DNS means) is routed through the Internet Gateway on the Ingress VPC
  • Traffic destined for endpoints in other VPC moves through the Transit Gateway
  • Traffic moves to the Inspection VPC and the AWS Network Firewall
  • Traffic is routed back through the Transit Gateway and final destination VPC

This architecture is for inbound connections only, such as for Load Balancers or API Gateways, which accept inbound connections from the internet and route the traffic to their respective target endpoints.

Inbound From On-Premises to VPCs

  • Traffic destined for endpoints in other VPC moves from on-premises networks through the Transit Gateway
  • Traffic moves to the Inspection VPC and the AWS Network Firewall
  • Traffic is routed back through the Transit Gateway and final destination VPC

East-West Between VPCs

  • Traffic between two VPCs is routed through the Transit Gateway.
  • Traffic moves to the Inspection VPC and the AWS Network Firewall
  • Traffic is routed back through the Transit Gateway and final destination VPC

This architecture is common for environments which include an application VPC which needs access to a shared services VPC, or facilitating communication between a development VPC, a testing/QA VPC, or a production VPC.

Conclusion

AWS services and features are built with security as priority. Amazon Virtual Private Cloud (VPC), we can control network security using Network Access Control Lists (NACL) and Security Groups (SG). Many of us have requirements beyond the scope of these types of security controls. We may have requirements for deep packet inspection (DPI), application protocol detection, domain name filtering, and intrusion prevention system (IPS).

Furthermore, we may require many more rules compared to the limits in SGs and NACLs. For these reasons, we can use AWS Network Firewall – a stateful, managed, network firewall and intrusion prevention service for your VPC. It is designed for scale and supports tens of thousands of rules.

As there are many models to choose from in terms of network structures, for combined centralized and distributed deployment models, we can deploy AWS Network Firewall in the central inspection VPC, where all traffic, whether east-west or north-south, are inspected before reaching the final destination. To take this model one step further, we can also centralize our ingress and egress points for our north-south traffic, where each traffic direction (ingress or egress) has its own VPC and related objects while still having all traffic inspected before reaching the final destination.

Leave a Comment

Your email address will not be published. Required fields are marked *