AWS Network Firewall

What is AWS Network Firewall?

Managed service from AWS that provides network protections for all VPCs and having rule engine which let us define the firewall rules, import rules already written in common open source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners.

Also provides protection from common network threats, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect

What can be protected and Monitored?

AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection used detect vulnerability exploit using signature-based detection.

AWS Network Firewall can be configured to allow the traffic only from known AWS service domains or IP address and web filtering allows or filter protocols like HTTPS, known ports

Implementing AWS Network Firewall using Terraform

From Terraform v0.12 version, you can use the AWS Network Firewall resource to deploy and below is sample configuration to deploy AWS VPC with AWS Network Firewall using Terraform

data “aws_availability_zones” “available” {

state = “available”

}

resource “aws_vpc” “example” {

cidr_block = “10.0.0.0/16”

}

resource “aws_internet_gateway” “example” {

vpc_id = aws_vpc.example.id

}

resource “aws_subnet” “application” {

availability_zone = data.aws_availability_zones.available.names[0]

cidr_block = “10.0.1.0/24”

vpc_id = aws_vpc.example.id

}

resource “aws_subnet” “firewall” {

availability_zone = data.aws_availability_zones.available.names[0]

cidr_block = “10.0.0.0/24”

vpc_id = aws_vpc.example.id

}

resource “aws_networkfirewall_rule_group” “example” {

capacity = 1000

name = “example”

type = “STATELESS”

rule_group {

rules_source {

stateless_rules_and_custom_actions {

stateless_rule {

priority = 5

rule_definition {

actions = [“aws:pass”]

match_attributes {

source {

address_definition = “10.0.0.0/8”

}

source {

address_definition = “192.168.0.0/16”

}

}

}

}

}

}

}

}

resource “aws_networkfirewall_firewall_policy” “example” {

name = “example”

firewall_policy {

stateless_default_actions = [“aws:drop”]

stateless_fragment_default_actions = [“aws:drop”]

stateless_rule_group_reference {

priority = 20

resource_arn = aws_networkfirewall_rule_group.example.arn

}

}

}

resource “aws_networkfirewall_firewall” “example” {

firewall_policy_arn = aws_networkfirewall_firewall_policy.example.arn

name = “example”

vpc_id = aws_vpc.example.id

subnet_mapping {

subnet_id = aws_subnet.firewall.id

}

}

resource “aws_network_interface” “firewall” {

subnet_id = aws_subnet.firewall.id

}

resource “aws_network_interface” “application” {

subnet_id = aws_subnet.application.id

}

data “aws_network_interface” “firewall” {

id = aws_network_interface.firewall.id

}

data “aws_network_interface” “application” {

id = aws_network_interface.application.id

}

resource “aws_route_table” “application” {

vpc_id = aws_vpc.example.id

route {

cidr_block = “0.0.0.0/0”

network_interface_id = data.aws_network_interface.application.id

}

}

resource “aws_route_table_association” “application” {

route_table_id = aws_route_table.application.id

subnet_id = aws_subnet.application.id

}

resource “aws_route_table” “gateway” {

vpc_id = aws_vpc.example.id

route {

cidr_block = aws_subnet.application.cidr_block

network_interface_id = data.aws_network_interface.firewall.id

}

}

resource “aws_route_table_association” “gateway” {

gateway_id = aws_internet_gateway.example.id

route_table_id = aws_route_table.gateway.id

}

Conclusion

AWS Network Firewall used to inspect your AWS VPC traffic, Filter outbound traffic and Internet traffic. Enables network protection for AWS VPC and provides consistent firewall policy management across VPCs and accounts