Open in app

Sign in

Write

Sign in

Effortless AWS Network Firewall Rule Creation with Terraform: A Step-by-Step Guide

Akesh Patil
7 min readSep 10, 2023

--

In the ever-evolving landscape of cloud infrastructure, managing and securing network traffic is a paramount concern. AWS Network Firewall provides a powerful solution for protecting your AWS resources from unauthorized access, but configuring its rules manually can be a time-consuming and error-prone process.

In this blog post, we will delve into the world of Terraforming AWS Network Firewall rules creation. We will explore how we can simplify and streamline rules creation for AWS Network Firewall

By the end of this post, you’ll be armed with the knowledge to create, modify, and version control your AWS Network Firewall rules with ease, all while ensuring the utmost security for your cloud resources.

So, let’s embark on this exciting adventure into the realm of Terraforming AWS Network Firewall rules creation and discover how this powerful combination can revolutionize your network security practices in the cloud.

AWS Network Firewall Overview

AWS Network Firewall is a managed firewall service that provides network security in AWS. It enables you to create and manage firewall policies that control traffic flowing through your Amazon VPCs and across AWS Transit Gateway.

The service works by inspecting network traffic against a set of rules that you define in a firewall policy. You can create rules based on IP addresses, domains, ports, protocols, and other criteria. When traffic matches a rule, the firewall takes the specified action, such as allowing or blocking the traffic.

AWS Network Firewall supports both stateful and stateless rules, and it integrates with AWS Firewall Manager for centralized management of firewall policies across multiple accounts and VPCs. The service also provides logging and monitoring capabilities, including integration with Amazon CloudWatch and AWS Config.

AWS Network Firewall rule groups are either stateless or stateful. Stateless rule groups evaluate packets in isolation, while stateful rule groups evaluate them in the context of their traffic flow. You can create and manage the following categories of rule groups in Network Firewall:

  • Stateless — Defines standard network connection attributes for examining a packet on its own, with no additional context.
  • Stateful — Defines criteria for examining a packet in the context of traffic flow and of other traffic that’s related to the packet.

Network Firewall uses a Suricata rules engine to process all stateful rules. You can write any of your stateful rules in Suricata compatible format. Alternately, for domain list rules and for very basic rules, you can use an easy entry form provided by Network Firewall. Stateful rule groups are available in the following categories:

  • Suricata compatible rule strings — Provides match and action settings, in Suricata compatible format. You can provide all of your stateful rules through this method if you want to.
  • Domain list — Defines a list of domain names and specifies the protocol type to inspect.
  • Standard stateful rules — Defines standard network connection attributes for examining a packet within the context of a traffic flow.

By combining these rule types, you can create comprehensive firewall policies to enforce security and control over your network traffic within AWS.

This blog post emphasizes on the automation of creating standard stateful rules or 5 Tuple rules and Domain list rules. To understand how these rules can be created using ClickOps, you may refer AWS Documentation and can understand it involves multiple configurations before successfully creating any rule.

Let’s now understand how we can use Terraform to simplify this process and create these rules. Following section explains how to decouple the rules content from actual Terraform code using external files e.g. text files or CSV files etc.

Automate Domain list rule

  1. Create a folder in your terraform root directory. If you have multiple environments, I recommend creating a separate folder for each environment.

2. Create a txt file with appropriate name in the folder. I have created nonprod-whitelisted-domains.txt in my project

3. Include all the domains and subdomains that you wish to whitelist on domain list rule in this txt file. Each record can be added on a new row

4. Create Terraform resource to create firewall rule using following code block. Replace string YOUR_SOURCE_CIDR with your VPC CIDR

resource "aws_networkfirewall_rule_group" "allow_domains_for_nonprod_01" {
  capacity    = 2000
  name        = "nonprod-egress-domainlist-allow-domains-to-internet-01"
  description = "Allow egress internet access for Non-Production environment"
  type        = "STATEFUL"
  rule_group {
    stateful_rule_options {
      rule_order = "STRICT_ORDER"
    }
    rule_variables {
      ip_sets {
        key = "HOME_NET"
        ip_set {
          definition = ["YOUR_SOURCE_CIDR"]
        }
      }
    }
    rules_source {
      rules_source_list {
        generated_rules_type = "ALLOWLIST"
        target_types         = ["HTTP_HOST", "TLS_SNI"]
        targets = [
          for line in split("\n", file("./nonprod-files/nonprod-whitelisted-domains.txt")) : trim(line, " \r")
        ]
      }
    }
  }
}

5. This Terraform code will read the txt file and create firewall rule nonprod-egress-domainlist-rule-01 on AWS Network Firewall. This looks like following on AWS console

6. If you wish to add a new domain or subdomain in the list, you just update your txt file with required domain and just apply the terraform code without making any changes to terraform code. After successful execution, you can see a new domain/subdomain in the rule group.

Automate custom /5 Tuple rules

  1. There are two options for organizing your Terraform files when working with domain rules. You can either create a new folder specifically for 5 Tuple rules, or you can use the same folder that you created for all of your environment files. In my case, I chose to use the same folder for all of my environment files, including the domain rule file.
  2. Create a CSV file to specify data required for creating 5 tuple rule on firewall

3. Update CSV file with the required data. You may create additional columns for all the fields you wish to manage through this CSV. e.g. Source IPs/CIDR, Destination IP/CIDR Protocol, Port, Action etc. To keep it simple, I have used source CIDR and destination CIDR

When specifying values for the source and destination fields, you have the option to separate multiple values using commas. In my case, I chose to use multiple comma-separated values for the destination field.

4. Create Data resources in your Terraform code using following block.

data "local_file" "prod-connectivity-data" {
  filename = "${path.module}/prod-files/prod-connectivity-data.csv"
}

data "local_file" "nonprod-connectivity-data" {
  filename = "${path.module}/nonprod-files/nonprod-connectivity-data.csv"
}

5. Create Terraform resource to dynamically create 5 Tuple rules using this CSV data. Following is the code block for creating 5 Tuple rule using non-prod CSV file.

resource "aws_networkfirewall_rule_group" "nonprod-5tuple-rule-01" {
  capacity = 1000
  name     = "nonprod-5tuple-rule-01"
  type     = "STATEFUL"
  rule_group {
    stateful_rule_options {
      rule_order = "STRICT_ORDER"
    }
    rules_source {
      dynamic "stateful_rule" {
        for_each = local.nonprod-connectivity-data
        content {
          action = "PASS"
          header {
            destination      = stateful_rule.value.Destination
            destination_port = "ANY"
            direction        = "FORWARD"
            protocol         = "IP"
            source_port      = "ANY"
            source           = stateful_rule.value.Source
          }
          rule_option {
            keyword  = "sid"
            settings = [stateful_rule.key + 1]
          }
        }
      }
    }
  }
}

In this code block, you may notice that we are using CSV column names to fetch respective column value from the CSV.

6. This is how this rule looks like on AWS console.

Rule 1

Rule 2

7. If you wish to add a new rule in the rule group, you just need to add a new row in the CSV with required values and apply terraform code on your infrastructure. This will create a new rule without any Terraform code changes.

Conclusion

This blog post provides a step-by-step guide to automating AWS Network Firewall rule creation using Terraform. The post explains how AWS Network Firewall works and what types of rule groups it supports. It then goes on to describe how to automate the creation of domain list rules and custom/5 Tuple rules using Terraform. The post includes code snippets and screenshots to illustrate the process. By the end of the post, readers will have the knowledge to create, modify, and version control their AWS Network Firewall rules with ease, all while ensuring the utmost security for their cloud resources.

AWS
Aws Network Firewall
Automation
Terraform

--

--

Akesh Patil

Written by Akesh Patil

66 Followers

I am a proud AWS Ambassador working as a Sr. Cloud Architect & expertise in Full Stack Development, Cloud Consulting & Solutioning, DevOps & Infra Automations.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams