Up and running with AWS Network Firewall - Part 1

Up and running with AWS Network Firewall - Part 1
AWS Network Firewall

This post is the first in a series to share my learnings as I get to grips with AWS Network Firewall.

See the second part here

There are many use cases; however, in this series, I'll focus on the following.

Inspection VPC

This pattern will place the firewall between two VPCs and inspect any traffic that passes between the two.

As Network Firewall doesn't support VPC Peering, Transit Gateway needs to be implemented, which isn't bad as it's like a router on steroids! See an overlay use case with TGW here.

If you deal with multiple accounts and many VPCs, you will never regret implementing it.

VPC to VPC Through NFW

Inspection VPC with Internet Egress

This pattern will enable a central egress point to the internet via NAT gateway, allowing us to allow or block traffic to the internet from instances in private subnets across one or many VPCs.

Inspection VPC for North-South traffic across cloud providers.

What the hell does North-South mean, I hear you say. Wikipedia defines it as

"Network traffic flowing into and out of a data center"

I feel that description is a little dated; however, it makes sense if we treat AWS as one data center and "other" cloud provider as another.

This pattern will establish a Site-to-Site VPN with the "other" cloud provider and ensure all traffic that passes between providers, North-South, will go via the firewall.

North-South Traffic Flow across Public Cloud Providers

Asymmetric Routing

The above diagrams are a simple representation; however, in an Enterprise environment, instances are spread across multiple availability zones so enabling traffic to pass across AZs is necessary.

As detailed in the AWS docs here, by default, Transit Gateway maintains Availability Zone affinity, which means that it uses the same Availability Zone to forward the traffic from where it entered the transit gateway.

The above is perfect if we don't have an inspection VPC in place; however, as soon as we place an inline firewall, traffic must flow through the same interfaces on the firewall, or it gets silently dropped.

Thankfully the product teams at AWS have made life easy and enabled a flag we can set called Transit Gateway Appliance Mode.

In Part 2, we will go through the setup of the above patterns. However, as a parting gift, here is a CloudFormation template to deploy the Inspection VPC.

I hope this helps someone else!

Inspection VPC CloudFormation