Architecture overview

The Dynamic Object and Rule Extensions for AWS Network Firewall solution has a two-tier architecture, which consists of the business tier and data tier. The business tier is powered by a combination of Amazon API Gateway and AWS Lambda. The business logic predominantly resides in AWS Lambda for managing the domain data and periodically running a Lambda function to keep data synchronized between the solution and ANFW instance. The data tier is underpinned by Amazon DynamoDB to store rule bundle, object, and rule data.

The architecture can be grouped into two logical components: 

• Request orchestration

• Automatic resource and rule synchronization, and ANFW configuration

Figure 1: Dynamic Object and Rule Extensions for AWS Network Firewall solution architecture

1. The API Gateway provides the primary interface for the user to interact with this solution, including endpoints to manage the domain entities. Domain entities include rule, object, rule bundle, and list audit information. Refer to API schema in the GitHub repository for sample requests and information about updating the metadata.

2. The request is forwarded to a Lambda handler function.

3. (Optional) When enableOpa = true, a Lambda function invokes ECS-hosted OPA cluster to exercise validation on the request based on context. For example, Lambda function can validate if the requester is allowed to perform the CreateObject action. 

4. Lambda issues request data to read from or write to domain entity tables in DynamoDB.

5. An Amazon EventBridge rule is scheduled to invoke the Auto Config Lambda function. The frequency is based on the ruleResolutionInterval configuration; the default value is 10 minutes.

6. The auto config Lambda function requests domain entity data such as rule bundle, rule, and object from Amazon DynamoDB. 

7. The auto config Lambda function queries the AWS Config aggregator to resolve defined object referenced by rule in the solution.

8. The auto Config Lambda function sends an update request to ANFW.