Step 1: Launch the stack - Centralized Network Inspection on AWS

Step 1: Launch the stack

Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Time to deploy: Approximately 7–10 minutes.

  1. Sign in to the AWS Management Console and select the button to launch the centralized-network-inspection-on-aws.template CloudFormation template.

    Launch solution button.

  2. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.

    Note

    This solution uses Network Firewall, which is not currently available in all AWS Regions. You must launch this solution in an AWS Region where AWS Network Firewall is available. For the most current availability of AWS services by Region, see the AWS Regional Services List.

    You can deploy this solution multiple times in the same Region to allow users to set up a new network firewall and related resources for an existing transit gateway.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, see IAM and AWS STS quotas, name requirements, and character limits in the AWS Identity and Access Management User Guide.

  5. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Parameter Default Description

    VPC configuration

    Provide the CIDR bock for the inspection VPC

    192.168.1.0/26

    CIDR block for VPC. Must be /26 or larger CIDR block.

    Transit Gateway configuration

    Provide the existing AWS Transit Gateway ID you wish to attach to the Inspection VPC

    Optional input

    The existing transit gateway ID in the current Region. Example: tgw-a1b2c3d4e5

    Note

    If the transit gateway ID is removed or updated and the stack is updated, the transit gateway attachment won't be deleted in the account. You must delete the transit gateway attachment manually.

    Provide the AWS Transit Gateway Route Table to be associated with the Inspection VPC TGW Attachment

    Optional input

    The existing transit gateway route table ID. Example: Firewall Route Table. Example: tgw-rtb-0a1b2c3d

    Note

    If the transit gateway route table ID is removed and the stack is updated, the transit gateway attachment is not deleted in the account. You must delete the transit gateway attachment manually.

    Provide the AWS Transit Gateway Route Table to receive 0.0.0.0/0 route to the Inspection VPC TGW Attachment

    Optional input

    The existing transit gateway route table ID for propagation. Example: Spoke VPC Route Table. Example: tgw-rtb-183ae12f

    Note

    If the transit gateway ID, or transit gateway route table ID and transit gateway route table ID for default route, are removed and the stack is updated, the default route in the transit gateway route table, route entry for 0.0.0.0/0, is not deleted. You must delete the route manually.

    Firewall Logging configuration

    Select the type of log destination for the Network Firewall

    CloudWatchLogs

    The type of storage destination for logs. You can send logs to an S3 bucket or a CloudWatch log group.

    Note

    The default value is CloudWatchLogs. This solution will create a log group for the firewall logs. You can also store logs in an S3 bucket. If no logging needs to be configured, select ConfigureManually.

    If this parameter is being updated after your first deployment, you must start CodePipeline manually to update the log destination.

    Select the type of log to send to the defined log destination.

    FLOW

    The type of log to send. Alert logs report traffic that matches a stateful rule with an action setting that sends an alert log message. Flow logs are standard network traffic flow logs.

    Note

    You can set this to ALERT logs or enable both types of logs. For details, refer to Logging network traffic from AWS Network Firewall in the AWS Network Firewall Developer Guide.

    Select the log retention period for Network Firewall Logs.

    90

    Log retention period in days. This setting is also applicable to Inspection VPC Flow Logs retention period.
  6. Select Next.

  7. On the Configure stack options page, choose Next.

  8. On the Review and create page, review and confirm the settings. Select the box acknowledging that the template will create IAM resources.

  9. Choose Submit to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 7–10 minutes.