Two Examples of using AWS Network Firewall


AWS Network Firewall is a high-available and scalable firewall service that provides network protections for VPC, which is a supplement to the existing security services.

  • Security group protects computing resources (EC2, Lambda, RDS…)
  • NACL (Network Access Control List) protects subnets
  • WAF (Web Application Firewall) and Shield protects frontend resources (ELB, CloudFound, API Gateway)

There are quite a few use cases for AWS Network Firewall, e.g VPC-to-VPC inspection, VPC-to-Onprem/VPN inspecton, VPC-to-Internet inspection. Different use cases have different deployment models.

I have done two AWS Network Firewall deployments recently, which I think are the typical use cases.

First example: Workload VPC uses its own Network Firewall for Internet Ingress and Egress (distributed model).

Second Example: Workload VPC uses Egress VPC for Internet outbound traffics (centralised model).

Network Firewall supports both stateless and stateful policies. Here are two simple tests that I have done to show you how it work:

  • Add stateless rule to drop all protocols to 8.8.8.8/32 
  • Add stateful rule to deny https/http traffic to domain .youtube.com

Before created the rules, I was able to curl http://www.youtube.com, and dig @8.8.8.8.

[root@ip-10-180-155-181 ~]# curl -I https://www.youtube.com
HTTP/2 200
content-type: text/html; charset=utf-8
x-content-type-options: nosniff
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Tue, 30 Mar 2021 01:12:54 GMT
content-length: 512040
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=31536000
p3p: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en-GB for more info."
server: ESF
x-xss-protection: 0
set-cookie: GPS=1; Domain=.youtube.com; Expires=Tue, 30-Mar-2021 01:42:54 GMT; Path=/; Secure; HttpOnly
set-cookie: YSC=PuFCQ_QHLcQ; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none
set-cookie: VISITOR_INFO1_LIVE=sBhk3F22qp0; Domain=.youtube.com; Expires=Sun, 26-Sep-2021 01:12:54 GMT; Path=/; Secure; HttpOnly; SameSite=none
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
 
[root@ip-10-180-155-181 ~]# dig +short @8.8.8.8 www.google.com
142.250.66.196

Neither target was accessible after the rules were created.

[root@ip-10-180-155-181 ~]# curl -I https://www.youtube.com
^C timed out
 
[root@ip-10-180-155-181 ~]# dig +short  @8.8.8.8 www.google.com
;; connection timed out; no servers could be reached

Also the logs can be found in CloudWatch logs:

NOTE: By default, domain list inspection uses `HOME_NET` that is set to the CIDR range of the VPC where Network Firewall is deployed. So in the second example (centralised model), I had to add the workload VPC CIDR into the HOME_NET in the rule. e.g.

{
    "RuleVariables": {
        "IPSets": {
           "HOME_NET": {
             "Definition": [
               "10.180.155.0/24",
               "10.180.156.0/24",
             ]
           }
        }
    },
    "RulesSource": {
        "RulesSourceList": {
            "Targets": [
                ".youtube.com"
            ],
            "TargetTypes": [
                "TLS_SNI",
                "HTTP_HOST"
            ],
            "GeneratedRulesType": "DENYLIST"
        }
    }
}

Here are a quick summary of what I have learned:

  • AWS Network Firewall inspects the traffics between networks (VPC, on-prem, VPN, Internet), then take actions base on policies. It does not support inspections between two subnets in the same VPC.
  • AWS Network Firewall endpoints need to be deployed to dedicated firewall subnets. And the traffics that are originated from the firewall subnets will not be inspected.
  • AWS Network Firewall uses gateway load balancer which can used as route destination.
  • AWS Network Firewall support various deployment model. Centralised vs Distributed. And the key is all about how you configure the routings.
  • AWS Network Firewall supports both stateless and stateful policy. Also it can use open sources and some 3rd part vendors IPS rules, e.g CrowdStrike.
  • AWS Network Firewall takes the CIDR of the VPC where the it is deployed as HOME_NET by default.
  • Using HOME_NET with domain list policy we can setup different the domain whitelist/blacklist for different source VPC.
  • AWS Network Firewall charges $0.395 per endpoint hour, and $0.065 per GB processed regardless of the traffic’s source or destination. Plus standard AWS data transfer charges for all data transferred via the AWS Network Firewall. If using AWS Firewall Manager to manage Network Firewall, there are additional costs of policy and config rules. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s