CNFS Dynamic Object and Rule Expansion for Network Firewall Solution Architecture

1. The CNFS API Gateway provides the primary interface for the user to interact with this solution, including endpoints to manage the domain entities. Domain entities include rule, object, rule bundle, and list audit information.

2. The request is forwarded to a CNFS Lambda handler function.

3. (Optional) When enableOpa = true, a Lambda function invokes ECS-hosted OPA cluster to exercise validation on the request based on context. For example, Lambda function can validate if the requester is allowed to perform the CreateObject action.

4. Lambda issues request data to read from or write to domain entity tables in CNFS DynamoDB.

5. An CNFS EventBridge rule is scheduled to invoke the Auto Config Lambda function. The frequency is based on the ruleResolutionInterval configuration; the default value is 10 minutes.

6. The auto config Lambda function requests domain entity data such as rule bundle, rule, and object from CNFSDynamoDB.

7. The auto config Lambda function queries the CNFS Config aggregator to resolve defined object referenced by rule in the solution.

8. The auto Config Lambda function sends an update request to CNFS Network Firewall