Architecture overview - Firewall Automation for Network Traffic on AWS

Architecture overview


       Firewall Automation for Network Traffic on AWS architecture

Figure 1: Firewall Automation for Network Traffic on AWS architecture

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.

The AWS CloudFormation template deploys an inspection VPC with a total of four subnets in randomly selected availability zones in the Region where the solution is deployed. Two of the subnets are used to create VPC Transit Gateway attachments if you provide an existing AWS Transit Gateway ID. The other two subnets are used to create AWS Network Firewall endpoints in two randomly selected availability zones. The template creates a new AWS CodeCommit repository and a default network firewall configuration that allows all traffic. The template also includes a set of examples to help you create new rule groups. You can modify the configuration package in the CodeCommit repository. This invokes the AWS CodePipeline to run the following stages:

Validation stage–AWS Network Firewall configuration is validated using AWS Network Firewall APIs with dry run mode enabled. This allows the user to find any unexpected issues before attempting an actual change. This stage also checks the JSON file structure and checks if all the referenced files in the configuration exist in the package.

Deployment stage–A new Network Firewall, Network Firewall policy, and rule groups are created in this stage. If any of the resources already exist the resources are updated. This stage also helps with detecting any changes and remediates by applying the latest configuration from the AWS CodeCommit repository. The rule groups changes will roll back to the original state if one of the rule group changes fails. The appliance mode activates for the TGW-VPC attachment to avoid asymmetric traffic. For more information, refer to Appliance in a shared services VPC.

This solution also creates Amazon VPC route tables for each availability zone with a default route destination with the target as Amazon VPC endpoint for AWS Network Firewall. A shared route table with firewall subnets is also created with default route destination with the target as the transit gateway ID. This route is only created if the transit gateway ID is provided in the AWS CloudFormation input parameters.