Architecture overview
The Dynamic Object and Rule Extensions for AWS Network Firewall
solution has a two-tier architecture, which consists of the business
tier and data tier. The business tier is powered by a combination of
Amazon API Gateway
The architecture can be grouped into two logical components:
-
Request orchestration
-
Automatic resource and rule synchronization, and ANFW configuration
-
The API Gateway provides the primary interface for the user to interact with this solution, including endpoints to manage the domain entities. Domain entities include rule, object, rule bundle, and list audit information. Refer to API schema
in the GitHub repository for sample requests and information about updating the metadata. -
The request is forwarded to a Lambda handler function.
-
(Optional) When
enableOpa
=true
, a Lambda function invokes ECS-hosted OPA cluster to exercise validation on the request based on context. For example, Lambda function can validate if the requester is allowed to perform theCreateObject
action. -
Lambda issues request data to read from or write to domain entity tables in DynamoDB.
-
An Amazon EventBridge
rule is scheduled to invoke the Auto Config Lambda function. The frequency is based on the ruleResolutionInterval
configuration; the default value is 10 minutes. -
The auto config Lambda function requests domain entity data such as rule bundle, rule, and object from Amazon DynamoDB.
-
The auto config Lambda function queries the AWS Config
aggregator to resolve defined object referenced by rule in the solution. -
The auto Config Lambda function sends an update request to ANFW.