We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Unable to save cookie preferences
We will only store essential cookies at this time, because we were unable to save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in the AWS console footer, or contact support if the problem persists.
This pattern shows you how to deploy a firewall by using AWS Network Firewall and AWS Transit Gateway. The Network Firewall resources are deployed by using an AWS CloudFormation template. Network Firewall automatically scales with your network traffic and can support hundreds of thousands of connections, so that you don’t have to worry about building and maintaining your own network security infrastructure. A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks.
In this pattern, you also learn to include an inspection VPC in your network architecture. Finally, this pattern explains how to use Amazon CloudWatch to provide real-time activity monitoring for your firewall.
Tip
It’s a best practice to avoid using a Network Firewall subnet to deploy other AWS services. This is because Network Firewall can’t inspect traffic from sources or destinations within a firewall’s subnet.
Prerequisites and limitations
Prerequisites
An active AWS account
AWS Identity and Access Management (IAM) role and policy permissions
Amazon CloudWatch Logs helps you centralize the logs from all your systems, applications, and AWS services so you can monitor them and archive them securely.
Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for VPCs in the AWS Cloud.
AWS Transit Gateway is a central hub that connects VPCs and on-premises networks.
Code
The code for this pattern is available in the GitHub AWS Network Firewall deployment with Transit Gateway repository. You can use the CloudFormation template from this repository to deploy a single inspection VPC that uses Network Firewall.
Epics
Task
Description
Skills required
Prepare and deploy the CloudFormation template.
Download the cloudformation/aws_nw_fw.yml template from the GitHub repository.
Update the template with your values.
Deploy the template.
AWS DevOps
Create the spoke VPC and inspection VPC
Task
Description
Skills required
Prepare and deploy the CloudFormation template.
Download the cloudformation/aws_nw_fw.yml template from the GitHub repository.
For Name tag, enter a name for the transit gateway.
For Description, enter a description for the transit gateway.
For Amazon side Autonomous System Number (ASN), leave the default ASN value.
Select the DNS support option.
Select the VPN ECMP support option.
Select the Default route table association option. This option automatically associates the transit gateway attachments with the default route table for the transit gateway.
Select the Default route table propagation option. This option automatically propagates the transit gateway attachments to the default route table for the transit gateway.
For Name tag, enter a name for the transit gateway.
For Description, enter a description for the transit gateway.
For Amazon side Autonomous System Number (ASN), leave the default ASN value.
Select the DNS support option.
Select the VPN ECMP support option.
Select the Default route table association option. This option automatically associates the transit gateway attachments with the default route table for the transit gateway.
Select the Default route table propagation option. This option automatically propagates the transit gateway attachments to the default route table for the transit gateway.
In the navigation pane, under Network Firewall, choose Firewall policies.
On the Describe firewall policy page, choose Create firewall policy.
For Name, enter the name that you want to use for the firewall policy. You'll use the name to identify the policy when you associate the policy with your firewall later in this pattern. You can't change the name of a firewall policy after you create it.
Choose Next.
On the Add rule groups page, in the Stateless rule group section, choose Add stateless rule groups.
In the Add from existing rule groups dialog box, select the check box for the stateless rule group that you created earlier. Choose Add rule groups. Note: At the bottom of the page, the firewall policy's capacity counter shows the capacity consumed by adding this rule group next to the maximum capacity allowed for a firewall policy.
Set the stateless default action to Forward to stateful rules.
In the Stateful rule group section, choose Add stateful rule groups, and then select the check box for the stateful rule group that you created earlier. Choose Add rule groups.
Choose Next to step through the rest of the setup wizard, and then choose Create firewall policy.
AWS DevOps
Update your VPC route tables.
Inspection VPC route tables
In the ANF subnet route table (Inspection-ANFRT), add 0.0.0/0 to the Transit Gateway ID.
In the Transit Gateway subnet route table (Inspection-TGWRT), add 0.0.0/0 to the EgressVPC.
SpokeVPCA route table
In the private route table, add 0.0.0.0/0 to the Transit Gateway ID.
Spoke VPCB route table
In the private route table, add 0.0.0.0/0 to the Transit Gateway ID.
Egress VPC route tables
In the egress public route table, add the SpokeVPCA and Spoke VPCB CIDR block to the Transit Gateway ID. Repeat the same step for the private subnet.
In the navigation pane, under Network Firewall, choose Firewall policies.
On the Describe firewall policy page, choose Create firewall policy.
For Name, enter the name that you want to use for the firewall policy. You'll use the name to identify the policy when you associate the policy with your firewall later in this pattern. You can't change the name of a firewall policy after you create it.
Choose Next.
On the Add rule groups page, in the Stateless rule group section, choose Add stateless rule groups.
In the Add from existing rule groups dialog box, select the check box for the stateless rule group that you created earlier. Choose Add rule groups. Note: At the bottom of the page, the firewall policy's capacity counter shows the capacity consumed by adding this rule group next to the maximum capacity allowed for a firewall policy.
Set the stateless default action to Forward to stateful rules.
In the Stateful rule group section, choose Add stateful rule groups, and then select the check box for the stateful rule group that you created earlier. Choose Add rule groups.
Choose Next to step through the rest of the setup wizard, and then choose Create firewall policy.
AWS DevOps
Update your VPC route tables.
Inspection VPC route tables
In the ANF subnet route table (Inspection-ANFRT), add 0.0.0/0 to the Transit Gateway ID.
In the Transit Gateway subnet route table (Inspection-TGWRT), add 0.0.0/0 to the EgressVPC.
SpokeVPCA route table
In the private route table, add 0.0.0.0/0 to the Transit Gateway ID.
Spoke VPCB route table
In the private route table, add 0.0.0.0/0 to the Transit Gateway ID.
Egress VPC route tables
In the egress public route table, add the SpokeVPCA and Spoke VPCB CIDR block to the Transit Gateway ID. Repeat the same step for the private subnet.
In the navigation pane, under Network Firewall, choose Firewalls.
In the Firewalls page, choose the name of the firewall that you want to edit.
Choose the Firewalldetails tab. In the Logging section, choose Edit.
Adjust the Log type selections as needed. You can configure logging for alert and flow logs.
Alert – Sends logs for traffic that matches any stateful rule where the action is set to Alert or Drop. For more information about stateful rules and rule groups, see Rule groups in AWS Network Firewall.
Flow – Sends logs for all network traffic that the stateless engine forwards to the stateful rules engine.
For each selected log type, choose the destination type, and then provide the information for the logging destination. For more information, see AWS Network Firewall logging destinations in the Network Firewall documentation.
Choose Save.
AWS DevOps
Set up CloudWatch to perform real-time network inspection
In the navigation pane, under Network Firewall, choose Firewalls.
In the Firewalls page, choose the name of the firewall that you want to edit.
Choose the Firewalldetails tab. In the Logging section, choose Edit.
Adjust the Log type selections as needed. You can configure logging for alert and flow logs.
Alert – Sends logs for traffic that matches any stateful rule where the action is set to Alert or Drop. For more information about stateful rules and rule groups, see Rule groups in AWS Network Firewall.
Flow – Sends logs for all network traffic that the stateless engine forwards to the stateful rules engine.
For each selected log type, choose the destination type, and then provide the information for the logging destination. For more information, see AWS Network Firewall logging destinations in the Network Firewall documentation.
Metrics are grouped first by the service namespace and then by the various dimension combinations within each namespace. The CloudWatch namespace for Network Firewall is AWS/NetworkFirewall.
Metrics are grouped first by the service namespace and then by the various dimension combinations within each namespace. The CloudWatch namespace for Network Firewall is AWS/NetworkFirewall.