OVERVIEW: AWS Managed
Firewall Service for
Virtual Private Clouds
Erik Rush | Jun. 16, 2021
In November of last year, Amazon Web Services (AWS) announced the expansion of its cloud security arsenal with the launch of AWS Network Firewall, a managed service designed specifically for AWS Virtual Private Cloud (VPC) customers.
“Our customers want to have a high availability, scalable firewall service to protect their virtual networks in the cloud,” AWS said in a Nov. 17 blog post. “We heard customers want an easier way to scale network security across all the resources in their workload, regardless of which AWS services they used. They also want customized protections to secure their unique workloads, or to comply with government mandates or commercial regulations.”
This degree of scalability means that users won’t have to purchase additional security infrastructure when their traffic increases. According to AWS, customers need the ability to do things like URL filtering on outbound flows, pattern matching on packet data beyond IP/Port/Protocol and the ability to alert on specific vulnerabilities for protocols beyond HTTP/S.
Custom Security Rules and More
With Network Firewall, users can implement custom security rules for workloads, bar VPCs from accessing prohibited domains, block risky IP addresses and identify potentially malicious activities. It also lets users “easily deploy and manage stateful inspection, intrusion prevention and detection, and web filtering to protect your virtual networks on AWS.”
AWS says that Network Firewall “runs both stateless and stateful traffic inspection rules engines.” These engines use rules and other settings that can be configured inside a firewall policy. Firewalls are deployed on a per-Availability Zone basis in the user’s VPC. For each Availability Zone, the user chooses a subnet to host the firewall endpoint that filters traffic. The firewall endpoint protects all of the subnets inside the zone, except for the one in which it is located.
Simple Implementation & Management
Users can manage AWS Network Firewall via these central components:
- Firewall – A firewall connects the VPC that you want to protect to the protection behavior that’s defined in a firewall policy. For each Availability Zone where you want protection, you provide Network Firewall with a public subnet that’s dedicated to the firewall endpoint. To use the firewall, you update the VPC route tables to send incoming and outgoing traffic through the firewall endpoints.
- Firewall policy – A firewall policy defines the behavior of the firewall in a collection of stateless and stateful rule groups and other settings. You can associate each firewall with only one firewall policy, but you can use a firewall policy for more than one firewall.
- Rule group – A rule group is a collection of stateless or stateful rules that define how to inspect and handle network traffic. Rules configuration includes 5-tuple and domain name filtering. You can also provide stateful rules using a Suricata open source rule specification.
Users can start AWS Network Firewall in AWS Management Console, AWS Command Line Interface (CLI), and AWS SDKs for creating and managing firewalls. In the VPC’s navigation pane console, AWS Network Firewall can be accessed; users simply choose “Create firewall” in Firewalls menu.
According to AWS, it’s really that simple. And as usual, AWS provides step-by-step instructions for even the least tech-savvy users.
Order of the Cipher is an Amazon Web Services (AWS) training company and a novel approach to cybersecurity training that combines theatrical presentation with proven teaching techniques. We’ve mastered Amazon Web Services, and we’ve perfected how to showcase the versatility and capability of AWS technology in a manner that provides real-world immersion experiences that prepare students to expertly navigate the AWS ecosystem.