DEV Community

bismaakram
bismaakram

Posted on • Edited on

Secure your VPC with AWS Network Firewall

#aws #networking #security #tutorial

👋 Hello tech enthusiasts!

In this blog, we’ll walk through the implementation of AWS Network Firewall using a hands-on lab 🧪. Our objective is to understand how stateless and stateful rule groups work by building a simple yet practical setup 🛡️⚙️.

🎯 Lab Objectives

  1. We will launch a simple web server on an EC2 instance.
  2. Create a Stateless rule to block the inbound ICPM (ping request) traffic to the web server.
  3. Create a Stateful rule to allow outbound traffic from the webserver to a particular domain name e.g aws.amazon.com over TLS and block all other outgoing traffic

We’ll use the following architecture diagram as the reference for our setup.

🖥️ Launch your webserver on an EC2 instance

  1. SSH to EC2 instance and install HTTPD web server (In security group allow SSH, HTTP and ICMP traffic from anywhere 0.0.0.0/0). We need to make sure that the security group is not restricting any traffic.
  2. Verify that you are able to access the web server over a browser using EC2 instances public IP or public DNS
  3. Verify that you are able to ping to EC2 instance from your workstation

In VPC settings, enable DNS resolution and DNS hostnames, to ensure you can access your webserver using the public DNS.

I can also successfully ping the EC2 instance from my workstation.

Next steps, is to create a Network Firewall and associate with your VPC, and the Firewall subnet.

⚡ Stateless Rules

  1. Drop all ICMP traffic from 0.0.0.0/0 to 0.0.0.0/0 (priority 10).
  2. Forward all other traffic to Stateful rule group (priority 20).

⚡ Stateful Rules

  1. pass tcp any any -> any 22 (msg:"Allow TCP 22"; sid:1000001; rev:1;)
  2. pass http any any -> any any (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"Permit HTTP access to the web server"; sid:1000002; rev:1;)
  3. pass tls any any -> any any (tls.sni; content:"aws.amazon.com"; startswith; nocase; endswith; msg:"Permit HTTPS access to aws.amazon.com"; sid:1000003; rev:1;)
  4. drop tcp any any -> any any (flow:established,to_server; msg:"Deny all other TCP traffic"; sid: 1000004; rev:1;)

Add Stateless and Stateful rule groups to the Firewall policy.

Next steps, lets modify the Route tables.

Add a route to Firewall endpoint to the Public subnet.

Add a route to Internet Gateway in the Firewall subnet.

  1. Create a new route table for Internet Gateway.
  2. Add route for traffic going to 10.100.0.0/24, it should go through the Firewall endpoint.

Go to edge associations and associate with the Internet Gateway.

🔍 Now, let's verify our Firewall rules.

We can ping the IP address of our EC2 machine, to see if it is working.

Perfect! It doesn't work 😅

Now, let's try the public DNS http://ec2-52-65-196-41.ap-southeast-2.compute.amazonaws.com/.

Excellent! 🎉 This is working, since we had a Stateful rule to allow the amazonaws.com domain name.

That’s all for today! 🙌 Thank you for following along! 😊

Top comments (0)