What is it?

AWS Network Firewall is a managed firewall service for our VPC. We can use Network Firewall to filter traffic at the perimeter of our VPC. Network Firewall includes filtering traffic going to and coming from IGW, NAT Gateway, VPN and Direct Connect.

Network Firewall components

  • Firewall
  • Firewall Policy
  • Rule Group

Diagram

diagram

Route Table Configuration

  • Public subnet route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 0.0.0.0/0 (ANY) to the Firewall subnet. (figure-1)
  • Firewall subnet route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 0.0.0.0/0 (ANY) to the Internet Gateway (IGW) (figure-2)
  • IGW route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 10.100.2.0/24 to the Firewall subnet. (figure-3)

  • TGW route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 10.100.2.0/24 to the Firewall subnet.
  • Private subnet route table routes traffic destined for 10.100.0.0/16 to the local address. Routes traffic destined for 0.0.0.0/0 (ANY) to the Firewall subnet.
In our example, we will only focus on the test-machine located in public subnet. Private subnet, NAT gateway and TGW are not covered in this example.

Let's configure the Route Tables.

figure-1 public route table

figure-2 firewall route table

figure-3 igw route table

Agenda

  • Permit SSH access to 10.100.2.10 (test machine in the public subnet) only from 82.11.130.226
  • Block ICMP from 10.100.2.10 to 8.8.8.8
  • Block access to example.net
  • Permit everything else

Setup AWS Network Firewall

Firewall

Firewall connects a firewall policy, which defines network traffic monitoring and filtering behaviour, to the VPC that we want to protect.

Let's create a Firewall.

Firewall Policies

An AWS Network Firewall firewall policy defines the monitoring and protection behaviour for a firewall. The details of the behaviour are defined in the rule groups that add to the policy.

I created  a policy called test-policy and associated with the Firewall we created in the previous step. Next step is to add some Rule Groups into it.

To create a Firewall Policy:

  • In the navigation pane, under Network Firewall, choose Firewall policies.
  • Choose Create firewall policy

Rule Groups

A rule group is a reusable set of criteria for inspecting and handling network traffic. We can add one or more rule groups to a firewall policy as part of policy configuration.

  • Stateless rule group - Network Firewall stateless rules engine examines each packet in isolation. It doesn't consider context such as traffic direction or traffic flow.
  • Stateful rule group - Stateful rules engine examines the full state of active traffic. It does consider the complete context of traffic and data packets.
  • Domain list rule group - We can create allow/deny lists with domain names that the stateful rules engine looks for in a packet.
I have also set the stateless default action to forward to stateful rule group so, any packet doesn't match the stateless rule group is sent out to the stateful rule group.
Firewall Policy

stateless rule group

stateful rule

ip domain list

Verification

Traffic flow

As you can see below pinging 8.8.8.8 and browsing example.net are getting blocked.

ubuntu@ip-10-100-2-10:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2028ms

ubuntu@ip-10-100-2-10:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=49 time=12.3 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=49 time=14.6 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=49 time=8.62 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 8.621/11.856/14.649/2.483 ms
ubuntu@ip-10-100-2-10:~$ links example.net

Rquest sent   <<< The page doesn't load

Logging and Monitoring

There are multiple ways where you can store and view the logs generated by the Networks Firewall. I will show you how to use CloudWatch in this example.

To send logs to CloudWatch:

  • Create a CloudWatch Logs log group.
  • Provide the log group name to the Network Firewall
  • AWS Network Firewall now delivers logs to the CloudWatch log group in log streams.
  • Each log stream contains an hour of log records.
create log group
edit firewall logging config
firewall logging settings

As you can see below that the traffic to both example.net and 8.8.8.8 are blocked and the logs are stored in CloudWatch.

{
    "firewall_name": "test-firewall",
    "availability_zone": "eu-west-1a",
    "event_timestamp": "1605805211",
    "event": {
        "timestamp": "2020-11-19T17:00:11.487618+0000",
        "flow_id": 276083259410786,
        "event_type": "alert",
        "src_ip": "10.100.2.10",
        "src_port": 52086,
        "dest_ip": "93.184.216.34",
        "dest_port": 80,
        "proto": "TCP",
        "tx_id": 0,
        "alert": {
            "action": "blocked",		<<<<<<
            "signature_id": 2,
            "rev": 1,
            "signature": "matching HTTP denylisted FQDNs",
            "category": "",
            "severity": 1
        },
        "http": {
            "hostname": "example.net",	<<<<<<
            "url": "/",
            "http_user_agent": "Links (2.14; Linux 5.4.0-1029-aws x86_64; GNU C 7.3; text)",
            "http_method": "GET",
            "protocol": "HTTP/1.1",
            "length": 0
        },
        "app_proto": "http"
    }
}
example.net blocked
{
    "firewall_name": "test-firewall",
    "availability_zone": "eu-west-1a",
    "event_timestamp": "1605792702",
    "event": {
        "timestamp": "2020-11-19T13:31:42.770484+0000",
        "flow_id": 175749856149940,
        "event_type": "alert",
        "src_ip": "10.100.2.10",
        "dest_ip": "8.8.8.8",		<<<<<<<<
        "proto": "ICMP",			<<<<<<<<
        "icmp_type": 8,
        "icmp_code": 0,
        "alert": {
            "action": "blocked",
            "signature_id": 1,
            "rev": 0,
            "signature": "",
            "category": "",
            "severity": 3
        }
    }
}
icmp blocked

Thanks for reading.

As always, your feedback and comments are more than welcome.

Reference

What is AWS Network Firewall? - Network Firewall
Use AWS Network Firewall to filter traffic to and from public subnets in your Amazon Virtual Private Cloud VPCs, to control access to your content and help protect against attacks.