Automated deployment - Firewall Automation for Network Traffic on AWS

Automated deployment

Before you launch the solution, review the architecture overview, components and deployment considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Time to deploy: Approximately 7 minutes. The AWS CodePipeline can take up to 10 minutes to deploy AWS Network Firewall resources.

Prerequisites

The solution requires AWS Network Firewall to be available in the Region. For more information, refer to Deployment considerations.

Update the AWS Network Firewall log destination

If you have previously deployed this solution, any updates made to the stack will require you to manually initiate the AWS CodePipeline to update to the AWS Network Firewall log destination. AWS Network Firewall configuration should not be updated to manually release changes. To start the AWS CodePipeline manually, refer to Start a pipeline manually in the AWS CodePipeline User Guide.

To modify the AWS Network Firewall, firewall policy, and rule groups, refer to Configuring resources for network firewall.

Deployment overview

Use the following steps to deploy this solution on AWS. For detailed instructions, follow the links for each step.

Step 1. Launch the stack

  • Launch the AWS CloudFormation template into your AWS account.

  • Enter values for required parameters: Stack Name, Transit Gateway ID, Transit Gateway route table(s), Firewall Logging Configuration,

  • Review the other template parameters, and adjust if necessary.

Step 2. Modify AWS Network Firewall, firewall policies, rule groups

  • After the stack is successfully created, the AWS CodePipeline is initiated by CloudFormation.

  • Modify the AWS Network Firewall, firewall policies, and rule group. For details, refer to Configuring resources for network firewall.

Step 1. Launch the stack

This automated AWS CloudFormation template deploys Firewall Automation for Network Traffic on AWS in the AWS Cloud.

Note

You are responsible for the cost of the AWS services used while running this solution. For more details, visit to the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.

  1. Sign in to the AWS Management Console and select the button to launch the aws-network-firewall-deployment-automations-for-aws-transit-gateway AWS CloudFormation template.

    
                AWS Network Firewall Deployment Automations launch button

    Alternatively, you can download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.

    Note

    This solution uses AWS Network Firewall, which is currently available in select AWS Regions only. You must launch this solution in an AWS Region that supports this service. For the most current availability by Region, refer to the AWS Regional Services List.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS Limits in the AWS Identity and Access Management User Guide.

  5. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values:

    VPC configuration

    Parameter Default Description
    Provide the CIDR bock for the inspection VPC 192.168.1.0/26 CIDR block for VPC. Must be /26 or larger CIDR block.

    Transit Gateway configuration

    Parameter Default Description
    Provide the existing AWS Transit Gateway ID you wish to attach to the Inspection VPC <Optional input>

    The existing AWS Transit Gateway ID in the current Region. Example: tgw-a1b2c3d4e5

    Note

    If AWS Transit Gateway ID is removed/updated and the stack is updated, the AWS Transit Gateway Attachment is will not be deleted in the account. The AWS Transit Gateway attachment has to be deleted manually.

    Provide the AWS Transit Gateway Route Table to be associated with the Inspection VPC TGW Attachment <Optional input>

    Existing AWS Transit Gateway route table id. Example: Firewall Route Table. Example: tgw-rtb-0a1b2c3d

    Note

    If the AWS Transit Gateway route table ID is removed and stack is updated, the AWS Transit Gateway Attachment is not deleted in the account. The AWS Transit Gateway attachment has to be deleted manually.

    Provide the AWS Transit Gateway Route Table to receive 0.0.0.0/0 route to the Inspection VPC TGW Attachment <Optional input>

    Existing AWS Transit Gateway route table ID for propagation. Example: Spoke VPC Route Table. Example: tgw-rtb-183ae12f

    Note

    If the AWS Transit Gateway ID/ AWS Transit Gateway route table ID and Transit Gateway route table ID for default route is removed and stack is updated, the default route in the AWS Transit Gateway route table, route entry for 0.0.0.0/0 is not deleted. The route has to be deleted manually.

    Firewall Logging configuration

    Parameter Default Description
    Select the type of log destination for the Network Firewall CloudWatchLogs

    The type of storage destination for logs. You can send logs to an Amazon S3 bucket or an Amazon CloudWatch log group.

    Note

    The default value is CloudWatchLogs. This solution will create a log group for the firewall logs. You can also store logs in an Amazon S3 bucket. If no logging needs to be configured, select ConfigureManually.

    If this parameter is being updated after first deployment, the AWS CodePipeline must be initiated manually to update the log destination. For details, refer to Solution components.

    Select the type of log to send to the defined log destination FLOW

    The type of log to send. Alert logs report traffic that matches a stateful rule with an action setting that sends an alert log message. Flow logs are standard network traffic flow logs.

    Note

    You can set this to ALERT logs or enable both types of logs. For details, refer to Logging network traffic from AWS Network Firewall in the Network Firewall Developer Guide.

    Select the log retention period for Network Firewall Logs 90 Log retention period in days. This setting is also applicable to Inspection VPC Flow Logs retention period.
  6. Choose Next.

  7. On the Configure stack options page, choose Next.

  8. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  9. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a CREATE_COMPLETE status in approximately 7 minutes.

    After AWS CloudFormation completes the stack creation, the AWS CodePipeline created by the solution will continue to run until all the AWS Network Firewall resources are created.

Step 2. Modify the Network Firewall, firewall policies, and rule groups

After successfully deploying the stack, AWS CodePipeline initiates the AWS CodeBuild stages. Each stage validates and deploys the AWS Network Firewall components. After the deployment stage completes, you can view the AWS Network Firewall and firewall policy.

To modify the default AWS Network Firewall, firewall policy, and created rule groups, refer to Configuring resources for network firewall.