AWS Network Firewall - Key Components and Deployment Models

AWS Network Firewall is a managed network service provided by AWS, which was launched in November 2020 in the US East (N. Virginia), the US West (Oregon), and Europe (Ireland). This cloud-native solution helps organizations to filter and inspect the network traffic to and from VPC’s. A solid alternative to the third-party firewall solutions, it has been implemented by several customers as it integrates easily with all the AWS resources. In 2021 AWS firewall achieved some major milestones like PCI-DSS, ISO Compliance, etc. This further led to its growing traction across regions, such as Asia Pacific (Mumbai, Singapore, and Sydney), and EU (London).

Since AWS Network Firewall is a cloud-native solution, organizations get AWS support whenever required. It also helps expedite the implementation of the infrastructure. On the other hand, using a third-party firewall is time-intensive when it comes to learn and implement it with a trial & error approach.

Key Components of AWS Network Firewall

An AWS Network Firewall can be created under the VPC service from the console. At the time of firewall creation, organizations have to provide the subnets of all the AZ’s in which they look to deploy the firewall endpoint. Creating separate subnets for firewall endpoints is recommended, specifically in each AZ. Every AWS Network Firewall is associated with a Firewall Policy, which is a group of rules. Under the firewall policy, the stateless and stateful rules can be defined based on the network requirements.

AWS Network Firewall – Deployment Models

Depending on the infrastructure, AWS recommends three deployment models depending on the use case and requirement.

Distributed Firewall Model

This model is suitable for North-South (VPC to the Internet) traffic flow, which means all the traffic for public resources can be monitored and filtered by this model. The misconfiguration and radius blast are the lowest and the cost applies per AWS Network Firewall endpoint.

In distributed firewall, as shown in the above example, a firewall subnet is created for each AZ. Here, the firewall endpoints are launched. It is best practice to create a separate firewall endpoint for each AZ so that the traffic for that particular AZ will flow only through its respective endpoint.

Centralized Firewall Model

The centralized firewall is ideal for following traffic flows:

East-West: VPC to VPC traffic flow
North-South: VPC to Internet traffic flow
North-South: VPC to on-prem via VPN or DX traffic flow

The misconfiguration and radius blast is medium while the cost applies as per AWS Transit Gateway attachments, AWS Network Firewall endpoints, and AWS Transit Gateway data being processed.

In a centralized firewall, we create 3 separate VPCs, where each takes care of a different traffic flow.

Inspection VPC: VPC to VPC and VPC to on-premises (East-West and North-South).
Central Egress VPC: VPC to only outbound internet traffic flow (North-South) with NAT Gateway.
Central Ingress VPC: VPC to outbound and inbound internet traffic flow (North-South) with IGW.

All traffic flows through the transit gateway and hence, transit gateway attachments need to be created for each VPC. To ensure flow symmetry, the appliance mode of transit gateway attachment must be enabled for all three firewall VPCs.

The appliance mode can only be enabled by AWS CLI –

aws ec2 create-transit-gateway-vpc-attachment 

    --transit-gateway-id tgw-0262a0e521EXAMPLE 

    --vpc-id vpc-07e8ffd50f49335df 

    --subnet-id subnet-0752213d59EXAMPLE

    --options ApplianceModeSupport=enable

aws ec2 modify-transit-gateway-vpc-attachment 

    --transit-gateway-attachment-id tgw-attach-0253EXAMPLE

    --options ApplianceModeSupport=enable

Combined Firewall Model

A combined model, as it indicates, is a combination of both distributed and centralized firewall models. In some use cases, it’s required to segregate the traffic of public resources (North-South) from the other two internal traffic flows: VPC to VPC and VPC to on-premises (North-South). In that case, the distributed firewall model is implemented for East-West traffic flow whereas the centralized firewall model for the North-South traffic flow.

To Sum Up

AWS Network Firewall is a good add-on to make the infrastructure cloud-native and can be implemented with different architectures using the aforementioned deployment models. AWS Network Firewall also enables the cloud watch logs which gives an insight into the traffic going through the network. Once implemented, it’s easy to manage, block, or allow various traffic with firewall policies and their set of rules.

Cloud Consulting, Strategy, and Migration

DevSecOps

Cloud Security Engineering

Application Assessment

Cloud Native Application Development & Testing

SaaS Product & Platform Development

Data Strategy

Data Governance and Engineering

Advanced Analytics

Cloud Governance & Reporting

Cloud Discovery & Optimization

DevOps Transformation (DoT)

cAssure

cSecure

SaaS Factory Model

BlazePulse

cSaver

Cloud and Platform Modernization

Cloud Security Operations

Conversational AI

Application Maintenance & Enhancement

Application Modernization

Managed Analytics

BI Modernization

Cloud Managed Services

How Analytics Helps Businesses Better Serve their Customers

Building Capabilities of Incident Response/Disaster Recovery on the Cloud

Impactful Cloud Computing Trends to Look For in 2022

Cloud-based End-to-End System Helped Feed Ontario Achieve ~60% Operational Optimization

Azure Cloud Hosting Enabled Etek to See ~40% Performance Improvement in their Website

Cloud Migration Helped Customer Achieve Uniform Platform and Reduce Rollbacks by Over 60%

Ebooks & Whitepapers

Augment Your Deployment Velocity With Terraform

Back to Business as Usual - Rightsizing Your AWS Cloud Cost

Call Us

Email Us

Financial Services

Banking & Insurance

Media & Entertainment

Telecom

Technology

About Us

Our Leadership

Customer Speaks

Strategic Partners

OneClan Life

Clouditects

Work With Us

Thought Leadership

Awards and Recognition

Media Coverage