🔐 TLS Encryption & Decryption in AWS Network Firewall

Today, over 90% of internet traffic uses TLS (HTTPS). While this protects confidentiality, it also prevents traditional firewalls from seeing what’s inside the traffic.

That’s where TLS inspection in AWS Network Firewall becomes critical.

In this article, we’ll cover:

• Why TLS inspection is required
• How TLS normally works
• How AWS Network Firewall performs TLS decryption & inspection
• Architecture design (EC2 → Firewall → NAT → IGW)
• Certificate requirements
• Common deployment mistakes
• Best practices

---

🚨 Why TLS Inspection Is Required

Without TLS inspection, a firewall can only see:

• Source IP
• Destination IP
• Port (443)
• Limited SNI/domain info

But it cannot see:

• Malware downloads
• Command & Control traffic
• Data exfiltration
• Exploit payloads
• Unauthorized SaaS usage

Encrypted traffic becomes a blind spot.

TLS inspection restores visibility.

---

🔎 How TLS Normally Works

Before encryption begins, two steps happen:

1️⃣ TCP 3-Way Handshake

Client → SYN → Server
Server → SYN-ACK → Client
Client → ACK → Server

TCP session established.

---

2️⃣ TLS Handshake

ClientHello
ServerHello
Certificate exchange
Key negotiation
Encrypted session established

After this, traffic becomes encrypted:

Client ⇄ Encrypted ⇄ Server

A traditional firewall cannot inspect payload contents.

---

🔐 How TLS Inspection Works in AWS Network Firewall

When TLS inspection is enabled, the firewall becomes a proxy.

Instead of:

EC2 ⇄ Google

We now have:

EC2 ⇄ Firewall ⇄ Google

The firewall acts as:

• Server toward EC2
• Client toward Google

---

Packet Flow Example (Outbound HTTPS)

Architecture:

Private Subnet (EC2)
        ↓
AWS Network Firewall
        ↓
NAT Gateway
        ↓
Internet Gateway
        ↓
Internet (google.com)

Return traffic:

Internet → IGW → NAT → Firewall → EC2

---

Step-by-Step Flow

1️⃣ EC2 sends HTTPS request

EC2 → Firewall

2️⃣ Firewall intercepts TLS handshake

• Receives ClientHello
• Creates second TLS session to Google

3️⃣ Firewall validates certificate

• OCSP / CRL check
• Certificate inspection

4️⃣ Firewall decrypts traffic

• Applies IPS rules
• Applies domain filtering
• Checks for malware

5️⃣ Firewall re-encrypts traffic

Firewall → NAT → Internet

---

🔑 Certificate Requirements

TLS inspection requires:

1️⃣ Inspection Certificate

• Stored in AWS Certificate Manager
• Presented by firewall to clients
• Must be trusted by EC2/workloads

---

2️⃣ Revocation Policy

Best practice:

GOOD → Allow
UNKNOWN → Allow
REVOKED → Reject

Strictly rejecting UNKNOWN often causes outages.

Cloudwatch logs for Unknown revocation -> passed traffic.

---

🧱 Required Configuration Building Blocks

To make TLS inspection work correctly:

✅ 1) Routing (Symmetric)

Private subnet:

0.0.0.0/0 → Firewall endpoint

NAT subnet:

Private subnet CIDR → Firewall endpoint

Return traffic must pass through firewall.

---

✅ 2) Layer 4 Rule (TCP 443)

You must allow TCP first:

pass tcp $HOME_NET any -> $EXTERNAL_NET 443

TLS runs on top of TCP.

---

✅ 3) TLS Rule (Layer 7)

Then allow TLS:

pass tls $HOME_NET any -> $EXTERNAL_NET 443

---

✅ 4) Default Action

Recommended:

Drop everything else

Sample Firewall Policy

So for an HTTPS connection:

• TCP session is established (port 443)
• Then TLS handshake happens inside that TCP session
• Then encrypted data flows

---

⚠️ Common Deployment Mistakes

❌ Asymmetric Routing

Return traffic bypasses firewall → TLS resets

---

❌ Revocation Policy Too Strict

UNKNOWN → REJECT

Causes unexpected connection resets.

---

❌ Missing TCP Rule

Allowing TLS but blocking TCP 443 breaks handshake.

---

❌ Inspecting All Ports

Only inspect required ports (usually 443).

---

📈 Performance Considerations

TLS inspection adds:

• CPU overhead
• Latency
• Reduced throughput

Best practice:

• Inspect only necessary traffic
• Bypass trusted domains
• Monitor firewall capacity

---

🏢 Enterprise Deployment Model

For multi-VPC environments:

Spoke VPCs
      ↓
Transit Gateway
      ↓
Inspection VPC
      ↓
AWS Network Firewall
      ↓
Internet

Centralized inspection reduces cost and improves control.

---

🎯 When TLS Inspection Is Most Valuable

TLS inspection is especially important for:

• Developer environments
• Outbound internet access
• SaaS-heavy organizations
• Data exfiltration protection
• Compliance environments

---

🧠 Final Thoughts

TLS encryption protects data — but it also hides threats.

AWS Network Firewall TLS inspection allows organizations to:

✅ Regain visibility
✅ Detect malware in encrypted traffic
✅ Prevent data exfiltration
✅ Enforce SaaS policies
✅ Maintain compliance

When deployed with proper routing, policy design, and certificate handling, TLS inspection becomes a powerful security control without disrupting business operations.

---