AWS
Network
Security

Setting Up AWS Network Firewall with Custom Rules

Ashwani Paliwal
August 1, 2024

AWS Network Firewall is a managed service that provides essential network protections for Amazon Virtual Private Cloud (VPC) environments. It offers fine-grained control over network traffic to help secure workloads and enforce compliance requirements. Setting up AWS Network Firewall with custom rules allows you to define and enforce security policies tailored to your specific needs. In this blog, we will guide you through the process of setting up AWS Network Firewall and creating custom rules.

Introduction to AWS Network Firewall

AWS Network Firewall is designed to protect your VPCs by filtering network traffic between subnets and controlling access to and from the internet. It integrates seamlessly with AWS services and offers features such as:

  • Stateful Inspection: Monitors the state of active connections and makes decisions based on the context of the traffic.
  • Stateless Inspection: Filters packets individually based on rules.
  • Centralized Management: Provides a single pane of glass to manage firewall rules across multiple VPCs.
  • Custom Rule Creation: Allows the definition of custom rules to meet specific security requirements.

Prerequisites

Before setting up AWS Network Firewall, ensure you have the following:

  1. An AWS account with the necessary permissions to create and manage network firewalls.
  2. An existing VPC where the firewall will be deployed.
  3. Knowledge of the traffic patterns and security requirements of your applications.

Step-by-Step Guide to Setting Up AWS Network Firewall

Step 1: Create a Firewall

  1. Navigate to the AWS Network Firewall Console:
    • Open the AWS Management Console and navigate to the Network Firewall service.
  2. Create a New Firewall:
    • Click on "Create firewall."
    • Provide a name and description for the firewall.
    • Select the VPC where the firewall will be deployed.
    • Choose the subnets for each Availability Zone. AWS Network Firewall requires at least one subnet per Availability Zone.
  3. Configure the Firewall:
    • Optionally, configure logging and monitoring settings to track firewall activity.
  4. Create the Firewall:
    • Review the configuration and click "Create firewall."

Step 2: Create Rule Groups

Rule groups define the set of rules that the firewall uses to filter traffic. AWS Network Firewall supports stateful and stateless rule groups.

  1. Create a Rule Group:
    • Navigate to the "Rule groups" section in the Network Firewall console.
    • Click on "Create rule group."
  2. Define Rule Group Settings:
    • Provide a name and description for the rule group.
    • Choose the type of rule group (stateful or stateless).
    • Specify the capacity, which determines the number of rules that can be included in the group.
  3. Add Rules to the Group:
    • For stateful rule groups, you can define rules using Suricata-compatible rules. Specify match conditions, actions (allow, drop, or alert), and rule priority.
    • For stateless rule groups, define match conditions based on IP addresses, ports, protocols, and other criteria. Specify actions such as forward to stateful inspection, drop, or pass.
  4. Save the Rule Group:
    • Review the rules and settings, then click "Create rule group."

Step 3: Create a Firewall Policy

A firewall policy combines one or more rule groups and specifies how traffic should be inspected and filtered.

  1. Create a Firewall Policy:
    • Navigate to the "Firewall policies" section in the Network Firewall console.
    • Click on "Create firewall policy."
  2. Define Policy Settings:
    • Provide a name and description for the firewall policy.
    • Add the rule groups you created in the previous step to the policy. Specify the order in which the rule groups should be evaluated.
  3. Save the Policy:
    • Review the policy settings and click "Create firewall policy."

Step 4: Associate the Firewall Policy with the Firewall

  1. Associate the Policy:
    • Navigate to the "Firewalls" section in the Network Firewall console.
    • Select the firewall you created in Step 1.
    • Click on "Associate policy" and select the firewall policy you created in Step 3.
  2. Apply the Policy:
    • Confirm the association and click "Associate policy."

Step 5: Testing and Monitoring

  1. Test the Firewall:
    • Deploy your applications and test the network traffic to ensure the firewall is filtering traffic according to your custom rules.
  2. Monitor the Firewall:
    • Use AWS CloudWatch to monitor firewall activity and logs.
    • Adjust rules and policies as needed to refine your security posture.

Conclusion

Setting up AWS Network Firewall with custom rules provides a robust solution for securing your VPC environments. By defining and enforcing tailored security policies, you can protect your applications from various network threats and ensure compliance with security standards. Follow the steps outlined in this guide to configure AWS Network Firewall and create custom rules that meet your specific requirements. With AWS Network Firewall, you can enhance the security and visibility of your network traffic, helping to safeguard your AWS infrastructure.

SecOps Solution is a Full-stack Patch and Vulnerability Management Platform that helps organizations identify, prioritize, and remediate security vulnerabilities and misconfigurations in seconds.

To learn more, get in touch.

Related Blogs