DEV Community

Cover image for AWS Network Firewall: A DevOps Guide in Simple Words
Manoj
Manoj

Posted on

AWS Network Firewall: A DevOps Guide in Simple Words

#aws #devops #network #security

I bet most of you who’ve worked on AWS even a little, chances are you’ve built a VPC — added subnets, configured route tables, attached internet gateways, and locked things down with network access control lists and security groups.

But there comes a moment when you realise that security groups and NACLs aren’t enough. Maybe an application is reaching out to sketchy IPs. Maybe you need to block traffic to specific IP addresses, or log every packet leaving your VPC. That’s where AWS Network Firewall comes into the picture — and to be honest, not enough people use it to its full potential. In this article, I’ll walk you through what it is and why it’s required.

What is AWS Network Firewall?

AWS Network Firewall is a managed firewall service that helps you control network traffic at a much more granular level that security groups and NACLs.

To help you understand better, think like this:

  1. Security Groups: Act like a bouncer at EC2 level
  2. NACL: Watch traffic at subnet border
  3. Network Firewall: It is a smart customisable checkpoint inside your VPC for deep inspection, filtering and rule-based control

And the best part? You don’t have to manage infrastructure. AWS will do all the necessary weight lifting for you.

What Can It Do?

  1. Block/Allow/Alert traffic based on IP, Port and Protocol.
  2. Detect and stop traffic to known bad/malicious IPs.
  3. Block access to an entire country/countries.
  4. Log and analyse traffic using VPC Flow Logs, Cloudwatch or S3.
  5. Integrate with Suiracata rules ( an open source threat detection engine).

Why Use IT?

  1. Block outbound traffic to malicious IPs
  2. Ensure your app(s) only connect to approved APIs / IPs / Domains
  3. Monitor for unusual connection patterns
  4. You can use suricata rules to detect intrusion attempts( for example: unauthorised sql access attempt, unauthorised access to exploit port to name a few)
  5. We all know this kind of control is hard to build using only NACL/Security Group.

Basic Setup Overview

  1. Create a firewall policy: Define what should be allowed/blocked.
  2. Add rule groups- like: stateless (quick filters) and stateful (connection aware, deeper checks)
  3. Create a firewall - attach rule groups and firewall policy to your firewall, attach the firewall to your vpc
  4. Configure routing: Traffic must flow through firewall (typically via a dedicated subnet)

Thanks for reading! If you’re using Network Firewall or curious about understanding it better, hit reply — happy to discuss or write a follow up post.

cheers

Top comments (0)