AWS Network Firewall using AWS Firewall Manager with Terraform | Part 1
This article is based on our experience with dozens of AWS customers projects at https://www.binbash.com.ar, specifically on Binbash Leverage Reference Architecture for AWS Network Firewall feature, the original inspiration article has been written by Luis Gallardo (Cloud Solutions Architect at Binbash)
Overview
In this article we’ll introduce our AWS Network Firewall strategy fundamentals to finally share how to deploy it in a multi-account architecture with AWS Firewall Manager with Terraform at Part 2 of our post.
As part of the best practices and Well-Architected Framework, AWS offers several managed services we can take advantage of for deploying security policies in your AWS Organization. Two of those services are AWS Network Firewall and AWS Firewall Manager. In this post we are going see how to deploy Network Firewall rules in a centralized network account as proposed in Binbash Leverage Architecture Reference for AWS, using Terraform.
AWS Network Firewall
AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your VPCs that scale automatically with your network traffic, without worrying about deploying and managing any underlying infrastructure.
AWS Network Firewall includes features that provide protections from common network threats. AWS Network Firewall’s stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol. AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. It also offers web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names.
Some of the benefits of AWS Network Firewall are:
- Managed infrastructure for high availability
- Flexible protection through fine-grained controls
- Consistent policy management across VPCs and accounts
How it works?
AWS Network Firewall protects the subnets within your VPC by filtering traffic going between the subnets and locations outside of your VPC. The following example figure depicts the placement of a firewall in a simple architecture.
To enable the firewall’s protection, you have to modify your VPC route tables to send your network traffic through the Network Firewall endpoints, where the firewall will evaluate the stateless and stateful rules you had defined previously.
You can combine Network Firewall with services and components that you use with your VPC like Internet gateways, NAT gateways, VPNs, or Transit gateways to accomplish more elaborated architectures, as the ones explained in the Deployment models for AWS Network Firewall post.
Deploying AWS Network Firewall and rules using Terraform
You can deploy the resources needed for your Network Firewall (security policies, stateless and stateful rules) using Binbash’s Leverage terraform-aws-network-firewall module as follows:
Deny domain access example
module "firewall" { source = "github.com/binbashar/terraform-aws-network-firewall.git" name = "firewall"
description = "AWS Network Firewall example"
vpc_id = "vpc-12345678910111213" subnet_mapping = {
us-east-1a = "subnet-23456780101112131"
us-east-1b = "subnet-13121110987654321"
} # Stateless rule groups
stateless_rule_groups = {
stateless-group-1 = {
description = "Stateless rules"
priority = 1
capacity = 100
# stateless-group-1 rules
rules = [
{
priority = 2
actions = ["aws:drop"]
protocols = [1]
source = {
address = "0.0.0.0/0"
}
destination = {
address = "0.0.0.0/0"
}
},
{
priority = 10
actions = ["aws:forward_to_sfe"]
source = {
address = "0.0.0.0/0"
}
destination = {
address = "0.0.0.0/0"
}
},
]
}
} # Stateful rules
stateful_rule_groups = {
# rules_source_list examples
stateful-group-1 = {
description = "Stateful Inspection for denying access to domains"
capacity = 100
#rule_variables = {}
rules_source_list = {
generated_rules_type = "DENYLIST"
target_types = ["TLS_SNI", "HTTP_HOST"]
targets = [".bad-domain.org", ".evil-domain.com"]
}
}
}
}
This example creates two stateless rules one for dropping ICMP traffic and the other one to be able to evaluate the stateful rules. It also creates a stateful rule the stateful rule for denying access to a couple of domains: ".bad-domain.org", ".evil-domain.com"
Notice that the whole domain and subdomains will be blocked because we are using the wildcard “.” before the domain name.
Once deployed in the VPC section of the AWS Console you will have something similar to these screenshots:
For the stateful rule, you will see a screen similar to these ones:
Using this module you can create the Network Firewall, the security policy, the stateless and stateful rules all at once, but you can also use it for defining just the stateless or stateful rules without creating the Network Firewall. For a complete example. please refer to the module’s complete example and check all the options available through its input variables.
This approach is convenient when having few Network Firewall resources to deploy, but when you need to deploy a set of rules across several accounts in your AWS Organization and enforce them a better approach is to use AWS Firewall Manager.
AWS Firewall Manager
Check how to deploy AWS Network Firewall solution with AWS Firewall Manager in the 2nd part of our post: “AWS Network Firewall using AWS Firewall Manager with Terraform | Part 2”
References
- AWS Network Firewall developer guide
- AWS Firewall Manager developer guide
- Deployment models for AWS Network Firewall
- Leverage Reference Architecture
- Leverage Reference Architecture / Dedicated Network NAT-GW + Network Firewall Account
- Leverage Reference Architecture / Security layer
- Binbash’s terraform-cost-budget module
- Binbash’s terraform-cost-billing-alarm module
- Binbash’s terraform-aws-network-firewall module
