DEV Community

sourav chakraborty
sourav chakraborty

Posted on • Edited on

Getting Started with AWS Network Firewall

AWS Network Firewall is a managed service to provide network protections for all of your Amazon Virtual Private Clouds to make sure that your traffic is inspected, monitored, and logged.

Image description

When AWS Network Firewall inspects a packet, it evaluates the packet against the rules in the policy's stateless rule groups first, using the stateless rules engine. Then, depending on that inspection and on other settings in the policy, it might evaluate the packets against the rules in the policy's stateful rule groups, using the stateful rules engine.

VPC route table for firewall
For Firewall we need a separate subnet, no other resource will be in this subnet

Image description

Public Subnet RT

Image description

Private subnet rt
Private subnet traffic will go to NAT gateway
Image description

Nat Subnet RT
For Nat gateway we need a separate subnet traffic goes to Firewall endpoint

Image description

Firewall incoming RT

Image description

It's require edge association, no subnet association required.
Image description

Image description

During stateless inspection, all individual packets in a flow are evaluated against all rule present in policy. Rules are processed in strict order based on the priority assigned to them, with lower numbered rules (e.g 10) taking precedence over higher numbered rules (for example, 100).

You are required to specify one of the following options:

Pass – Discontinue all inspection of the packet and permit it to go to its intended destination.
Drop – Discontinue all inspection of the packet and block it from going to its intended destination.
Forward to stateful rules – Discontinue stateless inspection of the packet and forward it to the stateful rule engine for inspection.

Image description

In the above rule group priority 1 rule having allow traffic from specific IP and deny all, however if we change the priority of 1 to 11 then , rule 10 will take precedence and all traffic will be dropped.

Image description

Stateful rule inspection works differently. The stateful rules engine processes rules in the order of action setting, with pass rules processed first, then drop, then alert. The engine stops processing if it finds the first match. E.g for approved domain list we can mention only certain domain can be accessed from the server restricting any other 3rd party repo access by developers.

Image description

The firewall also takes into consideration the order that the rules appear in the rule group, and the priority assigned to the
rule, if any.

Image description

For example, a pass rule with a priority of 1 will be processed prior to a pass rule with a priority of 2. However, a drop rule with a priority of 1 will always be processed after all pass rules have been evaluated, including those with a lower priority.

Image description

Image description

We can see in CloudWatch logs, traffic is blocked and captured in alert events.

Image description

Top comments (0)