A
Arun's Blog
← Back to all posts

AWS Network Firewall

FirewallNetworkingSecurity
TL;DR

Deploy AWS Network Firewall in a centralized inspection VPC with Transit Gateway to inspect all north-south (internet) and east-west (inter-VPC) traffic. This architecture provides deep packet inspection, IPS, and domain filtering while centralizing your security controls.

Introduction

Do you have a multi-VPC AWS environment with multiple ingress and egress points? Do you want to consolidate your blast radius (and in turn costs) in such a way that you would like to inspect all ingress and egress traffic related to your AWS environment through a centralized model? In this post, I will walk through the steps to accelerate your centralized deployment of AWS Network Firewall with Transit Gateway.

Note

All items below are for demonstration purposes. You should always follow AWS Well-Architected Framework best practices and implement multi-AZ redundancy for production workloads.

Logical Diagram

Key Concepts

VPC

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Subnets

A subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting. AWS provides two types of subnetting: public (allowing internet access) and private (hidden from the internet).

VPC Route Tables

A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.

Internet Gateway

A highly available VPC component that allows resources in the VPC to communicate with the internet.

NAT Gateway

Used for Network Address Translation. Allows private subnet resources to connect outbound to the internet while preventing inbound internet-initiated connections.

Transit Gateway

A network transit hub that interconnects your VPCs and on-premises networks.

Transit Gateway Attachment

Connects your VPCs or on-premise networks to a transit gateway.

Transit Gateway Route Table

Contains dynamic and static routes that decide the next hop based on the destination IP address. Can be associated with attachments and propagate routes.

North-South Traffic

Traffic that leaves the AWS environment destined for outside networks or comes into AWS from outside networks.

East-West Traffic

Traffic that stays within AWS but travels between VPCs.

Architecture Creation

Transit Gateway

Create transit gateway as your central hub for all VPC interconnection.

Inspection VPC

Important

The Inspection VPC is the critical component. All traffic must flow through this VPC for inspection. Ensure your firewall rules are properly configured before routing production traffic through it.

  1. Create VPC
  2. Create two subnets:
    • Firewall subnet - Holds the firewall endpoint
    • Transit Gateway subnet - Attached to Transit Gateway for routing outside the VPC
  3. Attach VPC to Transit Gateway using the Transit Gateway subnet
  4. Create network firewall and place in firewall subnet
  5. Create two route tables:
    • Firewall subnet route table - Route 0.0.0.0/0 to Transit Gateway
    • Transit Gateway subnet route table - Route 0.0.0.0/0 to firewall endpoint

Egress VPC

  1. Create VPC
  2. Create two subnets:
    • Public subnet - Holds the NAT Gateway
    • Transit Gateway subnet - Attached to Transit Gateway
  3. Attach VPC to Transit Gateway
  4. Create NAT Gateway in public subnet
  5. Create Internet Gateway and attach to VPC
  6. Create route tables:
    • Public subnet route table - Route 0.0.0.0/0 to Internet Gateway
    • Transit Gateway subnet route table - Route 0.0.0.0/0 to NAT Gateway

Ingress VPC

  1. Create VPC
  2. Create two public subnets (minimum required for load balancers)
  3. Attach VPC to Transit Gateway using both subnets
  4. Create Internet Gateway and attach to VPC
  5. Create route table:
    • Public subnet route table - Route 0.0.0.0/0 to Transit Gateway

Workload VPCs (PRD, STG, UAT)

For each workload VPC:

  1. Create VPC
  2. Create Transit Gateway subnet
  3. Attach VPC to Transit Gateway
  4. Create route table with 0.0.0.0/0 pointing to Transit Gateway

Transit Gateway Route Tables

Pro Tip

Use separate Transit Gateway route tables for the Inspection VPC and spoke VPCs. This ensures all traffic flows through inspection and prevents routing loops.

Firewall Transit Gateway Route Table

  • Propagation - Allow propagation for all VPCs for automatic routes
  • Static route - 0.0.0.0/0 to Egress VPC attachment
  • Association - Associate with Inspection VPC attachment

Spoke Transit Gateway Route Table

  • Propagation - Do not allow any propagation
  • Static route - 0.0.0.0/0 to Inspection VPC attachment (forces all traffic through inspection)
  • Association - Associate with all VPCs except Inspection VPC

Traffic Flow

North-South: Outbound (VPCs to Internet)

  1. Traffic from private subnets routes through Transit Gateway
  2. Traffic moves to Inspection VPC and AWS Network Firewall
  3. Traffic routes back through Transit Gateway
  4. Traffic flows through Egress VPC NAT Gateway to the internet

North-South: Inbound (Internet to VPCs)

  1. Traffic enters through Internet Gateway on Ingress VPC
  2. Traffic destined for endpoints moves through Transit Gateway
  3. Traffic flows to Inspection VPC for inspection
  4. Traffic routes through Transit Gateway to destination VPC

East-West (Between VPCs)

  1. Traffic between VPCs routes through Transit Gateway
  2. Traffic moves to Inspection VPC for inspection
  3. Traffic routes back through Transit Gateway to destination

Troubleshooting

  • Traffic not reaching destination - Verify Transit Gateway route table associations. Check that spoke VPCs route 0.0.0.0/0 to Inspection VPC attachment.
  • Asymmetric routing issues - Ensure return traffic follows the same path. Verify route tables in all VPCs and TGW route tables are correctly configured.
  • Firewall blocking legitimate traffic - Check Network Firewall rule groups and policies. Use flow logs to identify what's being blocked.
  • No internet access from workload VPCs - Verify NAT Gateway is in a public subnet with route to IGW. Check Egress VPC TGW subnet routes to NAT Gateway.
  • High latency - Traffic traversing multiple hops adds latency. Consider the tradeoff between centralized inspection and performance requirements.
  • Firewall endpoint not receiving traffic - Verify the TGW subnet route table points to the firewall endpoint, not the firewall itself.

Conclusion

AWS services and features are built with security as priority. With Amazon VPC, we can control network security using Network Access Control Lists (NACL) and Security Groups (SG). However, many organizations have requirements beyond these controls, including deep packet inspection (DPI), application protocol detection, domain name filtering, and intrusion prevention system (IPS).

AWS Network Firewall is a stateful, managed network firewall and intrusion prevention service designed for scale, supporting tens of thousands of rules. For combined centralized and distributed deployment models, deploying AWS Network Firewall in a central inspection VPC ensures all traffic - whether east-west or north-south - is inspected before reaching its final destination.