Architecture details - Centralized Network Inspection on AWS

Architecture details

This section describes the components and AWS services that make up this solution and the architecture details on how these components work together.

AWS Network Firewall configuration

This solution deploys with a default network firewall policy, which doesn't disrupt your existing network. This allows you to design and deploy custom network firewall policies, as well as stateful and stateless rule groups. This also includes existing Suricata stateful rules. For more information about Suricata, refer to the Working with stateful rule groups in AWS Network Firewall in the AWS Network Firewall Developer Guide.

Note

You can also use Firewall Manager to centrally configure and manage firewall rules for this solution.

Using this solution with AWS Transit Gateway

Note

To create transit gateways and manage VPCs and peering attachments, we recommend using the Network Orchestration for AWS Transit Gateway solution. You can use both solutions for the same transit gateway resource.

With an existing transit gateway

This solution works with your existing transit gateway to create a VPC transit gateway attachment if you provide the transit gateway ID. The solution also creates association and propagation to the existing transit gateway route tables if you provide the route table ID and transit gateway ID. For details, refer to Step 1: Launch the stack.

Without an existing transit gateway

You can deploy this solution without a transit gateway to test it before making any network changes. If you don't provide a transit gateway ID, this solution won't create the transit gateway to VPC attachment. This ensures that your network engineers can customize the Network Firewall configuration and update the firewall policies before making network changes.

Amazon CloudWatch

If you select CloudWatchLogs for the Select the type of log destination for the Network Firewall parameter when you launch the stack, this solution creates a log group for your logs. Your alert and flow logs collect log records and consolidate them into log files. For more information, refer to the AWS Network Firewall Developer Guide.

Amazon Simple Storage Service

The solution creates the following Amazon Simple Storage Service (Amazon S3) buckets:

  • Source code bucket – This bucket hosts versions of the source code used by the AWS CodeBuild stage to validate and deploy Network Firewall resources and update related resources.

  • CodePipeline artifacts bucket – This bucket stores input and output artifacts created by the CodePipeline stages. CodePipeline zips and transfers the files for input or output artifacts as appropriate for the action type in the stage.

  • (Optional) Network Firewall log destination bucket – This bucket stores the solution's logs. This S3 bucket is only created if you select Amazon S3 for the Select the type of log destination for the Network Firewall parameter when you launch the stack.