Deploy a firewall using AWS Network Firewall and AWS Transit Gateway - AWS Prescriptive Guidance

Deploy a firewall using AWS Network Firewall and AWS Transit Gateway

Created by Shrikant Patil (AWS)

Summary

This pattern shows you how to deploy a firewall by using AWS Network Firewall and AWS Transit Gateway. The Network Firewall resources are deployed by using an AWS CloudFormation template. Network Firewall automatically scales with your network traffic and can support hundreds of thousands of connections, so that you don’t have to worry about building and maintaining your own network security infrastructure. A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks.

In this pattern, you also learn to include an inspection VPC in your network architecture. Finally, this pattern explains how to use Amazon CloudWatch to provide real-time activity monitoring for your firewall.

Tip

It’s a best practice to avoid using a Network Firewall subnet to deploy other AWS services. This is because Network Firewall can’t inspect traffic from sources or destinations within a firewall’s subnet.

Prerequisites and limitations

Prerequisites

  • An active AWS account

  • AWS Identity and Access Management (IAM) role and policy permissions

  • CloudFormation template permissions

Limitations

You could have issues with domain filtering and a different kind of configuration could be necessary. For more information, see Stateful domain list rule groups in AWS Network Firewall in the Network Firewall documentation.

Architecture

Technology stack  

  • Amazon CloudWatch Logs

  • Amazon VPC

  • AWS Network Firewall

  • AWS Transit Gateway

Target architecture

The following diagram shows how to use Network Firewall and Transit Gateway to inspect your traffic:

AWS Transit Gateway connecting the Inspection VPC, Egress VPC, and two spoke VPCs.

The architecture includes the following components:

  • Your application is hosted in the two spoke VPCs. The VPCs are monitored by Network Firewall.

  • The egress VPC has direct access to the internet gateway but is not protected by Network Firewall.

  • The inspection VPC is where Network Firewall is deployed.

Automation and scale

You can use CloudFormation to create this pattern by using infrastructure as code.

Tools

AWS services

  • Amazon CloudWatch Logs helps you centralize the logs from all your systems, applications, and AWS services so you can monitor them and archive them securely.

  • Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

  • AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for VPCs in the AWS Cloud.

  • AWS Transit Gateway is a central hub that connects VPCs and on-premises networks.

Code

The code for this pattern is available in the GitHub AWS Network Firewall deployment with Transit Gateway repository. You can use the CloudFormation template from this repository to deploy a single inspection VPC that uses Network Firewall.

Epics

TaskDescriptionSkills required

Prepare and deploy the CloudFormation template.

  1. Download the cloudformation/aws_nw_fw.yml template from the GitHub repository.

  2. Update the template with your values.

  3. Deploy the template.

AWS DevOps
TaskDescriptionSkills required

Create a transit gateway.

  1. Sign in to the AWS Management Console and open the Amazon VPC console.

  2. On the navigation pane, choose Transit gateways.

  3. Choose Create transit gateway.

  4. For Name tag, enter a name for the transit gateway.

  5. For Description, enter a description for the transit gateway.

  6. For Amazon side Autonomous System Number (ASN), leave the default ASN value.

  7. Select the DNS support option.

  8. Select the VPN ECMP support option.

  9. Select the Default route table association option. This option automatically associates the transit gateway attachments with the default route table for the transit gateway.

  10. Select the Default route table propagation option. This option automatically propagates the transit gateway attachments to the default route table for the transit gateway.

  11. Choose Create transit gateway.

AWS DevOps

Create transit gateway attachments.

Create a transit gateway attachment for the following:

  • An Inspection attachment in the inspection VPC and Transit Gateway subnet

  • A SpokeVPCA attachment in the spoke VPCA and private subnet

  • A SpokeVPCB attachment in the spoke VPCB and private subnet

  • An EgressVPC attachment in the egress VPC and private subnet

AWS DevOps

Create a transit gateway route table.

  1. Create a transit gateway route table for the spoke VPC. This route table must be associated to all the VPCs other than the inspection VPC.

  2. Create a transit gateway route table for the firewall. This route table must be associated to the inspection VPC only.

  3. Add a route to the transit gateway route table for the firewall:

    • For 0.0.0/0, use the EgressVPC attachment.

    • For the SpokeVPCA CIDR block, use the SpokeVPC1 attachment.

    • For the SpokeVPCB CIDR block, use the SpokeVPC2 attachment.

  4. Add a route to the transit gateway route table for the spoke VPC. For 0.0.0/0, use the Inspection VPC attachment.

AWS DevOps
TaskDescriptionSkills required

Create a firewall in the inspection VPC.

  1. Sign in to the AWS Management Console and open the Amazon VPC console.

  2. In the navigation pane, under Network Firewall, choose Firewalls.

  3. Choose Create firewall.

  4. For Name, enter the name that you want to use to identify this firewall. You can't change the name of a firewall after you create it.

  5. For VPC, select your inspection VPC.

  6. For Availability Zone and Subnet, select the zone and firewall subnet that you identified.

  7. In the Associated firewall policy section, choose Associate an existing firewall policy, and then select the firewall policy that you created earlier.

  8. Choose Create firewall.

AWS DevOps

Create a firewall policy.

  1. Sign in to the AWS Management Console and open the Amazon VPC console.

  2. In the navigation pane, under Network Firewall, choose Firewall policies.

  3. On the Describe firewall policy page, choose Create firewall policy.

  4. For Name, enter the name that you want to use for the firewall policy. You'll use the name to identify the policy when you associate the policy with your firewall later in this pattern. You can't change the name of a firewall policy after you create it.

  5. Choose Next.

  6. On the Add rule groups page, in the Stateless rule group section, choose Add stateless rule groups.

  7. In the Add from existing rule groups dialog box, select the check box for the stateless rule group that you created earlier. Choose Add rule groups. Note: At the bottom of the page, the firewall policy's capacity counter shows the capacity consumed by adding this rule group next to the maximum capacity allowed for a firewall policy.

  8. Set the stateless default action to Forward to stateful rules.

  9. In the Stateful rule group section, choose Add stateful rule groups, and then select the check box for the stateful rule group that you created earlier. Choose Add rule groups.

  10. Choose Next to step through the rest of the setup wizard, and then choose Create firewall policy.

AWS DevOps

Update your VPC route tables.

Inspection VPC route tables

  1. In the ANF subnet route table (Inspection-ANFRT), add 0.0.0/0 to the Transit Gateway ID.

  2. In the Transit Gateway subnet route table (Inspection-TGWRT), add 0.0.0/0 to the EgressVPC.

SpokeVPCA route table

In the private route table, add 0.0.0.0/0 to the Transit Gateway ID.

Spoke VPCB route table

In the private route table, add 0.0.0.0/0 to the Transit Gateway ID.

Egress VPC route tables

In the egress public route table, add the SpokeVPCA and Spoke VPCB CIDR block to the Transit Gateway ID. Repeat the same step for the private subnet.

AWS DevOps
TaskDescriptionSkills required

Update the firewall's logging configuration.

  1. Sign in to the AWS Management Console and open the Amazon VPC console.

  2. In the navigation pane, under Network Firewall, choose Firewalls.

  3. In the Firewalls page, choose the name of the firewall that you want to edit.

  4. Choose the Firewall details tab. In the Logging section, choose Edit.

  5. Adjust the Log type selections as needed. You can configure logging for alert and flow logs.

    • Alert – Sends logs for traffic that matches any stateful rule where the action is set to Alert or Drop. For more information about stateful rules and rule groups, see Rule groups in AWS Network Firewall.

    • Flow – Sends logs for all network traffic that the stateless engine forwards to the stateful rules engine.

  6. For each selected log type, choose the destination type, and then provide the information for the logging destination. For more information, see AWS Network Firewall logging destinations in the Network Firewall documentation.

  7. Choose Save.

AWS DevOps
TaskDescriptionSkills required

Launch an EC2 instance to test the setup.

Launch two Amazon Elastic Compute Cloud (Amazon EC2) instances in the spoke VPC: one for Jumpbox and one for test connectivity.

AWS DevOps

Check the metrics.

Metrics are grouped first by the service namespace and then by the various dimension combinations within each namespace. The CloudWatch namespace for Network Firewall is AWS/NetworkFirewall.

  1. Sign in to the AWS Management Console and open the CloudWatch console.

  2. In the navigation pane, choose Metrics.

  3. On the All metrics tab, choose the Region, and then choose AWS/NetworkFirewall.

AWS DevOps

Related resources