Operation and customization

Data backup and restore

All DynamoDB tables have point-in-time recovery (PITR) activated by default. Perform these steps in a testing environment before applying to a production environment.

1. Sign in to the Amazon EventBridge console, then select Amazon EventBridge.

2. Select Rules and find the FirewallObjectExtensionSo-autoconfigTriggerRule* rule.

3. Select the rule and choose Disable to temporarily disable the rule. Refer to Deleting or Disabling a CloudWatch Events Rule for more information.

4. Navigate to the DynamoDB console. Select Backups in the left navigation menu and find the target backup. For example, rulesbackup.

5. Export backup table data into S3, refer to Exporting and Importing DynamoDB Data Using AWS Data Pipeline for more information.

6. For restore, import S3 data to the RuleExtensionsRuleTable solution table. Refer to Exporting and Importing DynamoDB Data Using AWS Data Pipeline for more information.

7. Repeat steps 1 through to 6 until all tables are restored.

8. Before restore, navigate to the Amazon EventBridge console. Select Rules, then select the FirewallObjectExtensionSo-autoconfigTriggerRule* rule, and choose Enable.

Allow the rules to be propagated to ANFW, then verify the ANFW rules number is correct. Also, verify the rule status by calling the solution’s API rulebundles/<id>/rules.

AWS resources and service limitations

The Dynamic Object and Rule Extensions for AWS Network Firewall solution leverages the following AWS services and is subject to their respective limitations.

• AWS Identity & Access Management

• Amazon Virtual Private Cloud

• Amazon API Gateway

• AWS Lambda

• Amazon DynamoDB

• Amazon CloudWatch Synthetics

• Amazon CloudWatch

• AWS Network Firewall

• Amazon Elastic Container Service

• AWS Config

• AWS X-Ray

API schema

Visit our GitHub repository for the full schema and API documentation.

Install JQ

JQ is used to parse command results from the CLI tool.

To install on Amazon Linux 2:

sudo yum install jq

To install on Mac OS X:

1. Install Homebrew.

2. Once Homebrew is installed, run the following command:

   brew install jq

Install AWS curl

AWS curl is used to call Sigv4 protected AWS API endpoints using AWS credentials.

To install on Amazon Linux 2:

pip3 install --user awscurl

To install on Mac OS X:

1. Install Homebrew.

2. Once Homebrew is installed, run the following command:

   brew install awscurl

Install GNU Getopt

Note

GNU Getopt is not required on Amazon Linux 2.

To install on Mac OS X:

1. Install Homebrew.

2. Once Homebrew is installed, run the following command:

   brew install gnu-getopt

3. Set GNU_GETOPT_PATH for use by the CLI tool.

   export GNU_GETOPT_PATH=/usr/local/opt/gnu-getopt/bin/getopt

Customize OPA policy

1. Add a new OPA policy under opa/packages/<folder>/, <folder> could be objects or rules. In this example, the policy ID is new_customer_policy, and the new policy file is  opa/packages/objects/object_new_customer_policy.rego.

2. Register the new policy by using the following code:

   FF_CUSTOMER_REGISTERED_POLICIES := [{
       "level": "mandatory",
       "packageId": "objects",
       "policyId": "new_customer_policy_a",
       "parameters": {},
   }]
   availablePolicySet[p] {
       p := FF_CUSOMTER_REGISTERED_POLICIES
   }

3. (Optional) We recommend adding OPA policy unit test for the newly added policy. Refer to our GitHub repository for an example of the test.

4. Refer to the README.md file to build the bundle.

5. Redeploy this solution.

Create an EC2 instance

Create an Amazon EC2 instance to access the API Gateway endpoint in Amazon VPC.

1. Sign in to the EC2 console.

2. On the Instances page, choose Launch Instances.

3. Select the Amazon Linux 2 AMI (HVM), SSD Volume Type instance.

4. On the Choose an Instance Type page, select t2.micro, and then choose Review and Launch.

5. Select Edit instance details, and choose the following configuration:

   Network: The VPC ID created by the solution.
   Subnet: FirewallObjectExtensionSolutionStack/object-extension-Vpc/PrivateSubnetASubnet2

6. Choose Review and Launch.

7. Review your Instance launch and choose Launch.

8. In the Select an existing key pair or create a new key pair box, choose Proceed without a key pair and check the I will not be able to connect to this instance unless you use EC2 Instance Connect or know the password built into the AMI box.

9. Choose Launch Instances.

Troubleshooting

If you need to troubleshoot issues with the deployed solution in case unexpected network and/or infrastructure change occurs. The following are basic diagnosis and recovery steps for some common issues.

API gateway return 504 or 503 for all requests

1. Sign in to the CloudWatch console, then select Dashboards.

2. Select RuleExtensionServiceDashboard.

3. Check the alarms. The alarm reason is listed in Details.

4. Check Synthetics canaries. The logs section contains the error reasons in case of a failure.

5. Navigate to the AWS Console, then select API Gateway.

6. Select Lambda, then select Monitor.

7. Check log for Lambda, search for log level ERROR.

8. Get the trace_id from the ERROR log. For example, trace_id = x_1123456.

9. Navigate to the CloudWatch console, then select Trace and enter the trace_id.

The next page will point to the error where it occurs.

Alternatively, if you cannot find trace_id from examining the logs in step 5, you can query trace_id by navigating to the CloudWatch console, then select Trace and in the query section, enter:

service(id(name: "YOU_DEPLOYED_SERVICE_NAME" , type:
"AWS::Lambda::Function")) {fault = true}

Rule resolution failure

If Rule resolution fails with the rule in failed status and displays a failure reason.

1. Sign in to the CloudWatch console, choose Dashboards, then select RuleExtensionServiceDashboard.

2. Check the alarms. The reason of the alarm is listed under Details.

3. Navigate to the Lambda console and search FirewallObjectExtensionSo-autoconfigapiautoConfig.

4. Navigate to the API Gateway console and choose Lambda then select Monitor.

5. Check log for Lambda, search for log level ERROR.

6. Get the trace_id from the ERROR log. For example, trace_id = x_1123456.

7. Navigate to the CloudWatch console then select Trace, and enter the trace_id.

Error: unauthorized access

This is a common error, for example, "User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: networkfirewall:DescribeFirewall on resource: exampleFirewall"

This is usually caused by an incorrect configuration of AWS Network Firewall rule group name. This solution can only access the pattern of AWS Network Firewall rule group name specified in the networkFirewallRuleGroupNamePattern configuration. Therefore, ensure the pattern is correct in respect to the actual name in AWS Network Firewall web console. Refer to Update solution configuration for more information.

Error: capacity exceeded

This is usually caused by an insufficient rule group capacity in respect to the number of rules defined in the system. Refer to Performance for more information.

1. Sign in to the AWS Lambda console and search for FirewallObjectExtensionSo-autoconfigautoConfigSche. Stop the trigger Event bridge, so that the rule resolution stops.

2. Navigate to the AWS Network Firewall console and select Network Firewall rule groups, then select your rule group.

3. Delete the group in full capacity. Run the following command to use the aoe.sh script that comes with this solution.

   ./aoe.sh get-rule --rule-bundle-id <id> --rule-id <id>

4. Create a new rule group with the same name but increase the capacity by 50% (recommended), or as appropriate.

5. Restart event bridge that was stopped in step 1.

For detailed troubleshooting steps for each AWS service used in this solution, refer to Troubleshooting resources.