In MNCs, we have separate Network and Security teams – which is good by the way. They have the proper tool to block incoming or outgoing traffic. For this, they set up a firewall on their side which helps them establish a Network Control Centre.
But managing this firewall is not easy and cheap because you have to purchase a license and to maintain that you need SMEs for particular that firewall. So to overcome all these issues we now have a managed service that is AWS Firewall.
SO WHAT WERE THE CURRENT REQUIREMENTS THAT HELP ME GO DEEP-DIVE INTO THIS?
- We need to block some Public URLs for our egress traffic.
- We want to do so with a managed service.
- It should be quite easy to implement
- No Hustle and Bustle is required for setting and maintaining the firewall
- It should be a centralized Service. Should have control over your multiple accounts. Ex- It would be treated as Single Control Network for multi Accounts So, to fulfill all these requirements. The first fully managed service that came to my mind is the AWS firewall.
Well, don’t be afraid this document look difficult but quite easy to implement. So let’s start.
BASIC REQUIREMENTS:
- AWS Account
- Basic knowledge of the Creation of VPC and Subnets and EC2 and transit Gateway
- Please read the first Blog Transit Gateway Setup on AWS
THE DIAGRAM HAS SOME BASIC TERMS:
Hub VPC: It’s a VPC in which your transit gateway is residing
Spoke VPC: It’s your VPC that has to be exposed to the firewall
Availability Zones: It’s your isolated location in which you have made your VPC
VPC: Virtual Private Cloud is like your data-center
Public/Private subnet: Public are those which are exposed to Internet and Private are not exposed
NAT/Internet gateway: They are just like your routers which help you to connect to the outer world
WE WILL DO IMPLEMENTATION IN 4 STEPS:
First, we will set up Transit Gateway:
Click on Create Transit GATEWAY: Select NAME > SELECT DESCRIPTION > CREATE TRANSIT GATEWAY
Now CREATE two ROUTE TABLE :
FIREWALL-ROUTE-TABLE
SPOKE-ROUTE-TABLE
Now Create a TGW attachment for the VPC which you want to peer
If you want to peer VPC in the different account you just need to share that Transit gateway to a particular Account and create a new attachment from that account
For more information refer to this blog transit gateway
NOW NEXT SETUP WOULD BE CONFIGURATION OF YOUR HUB/SPOKE/INSPECTION VPC
Note: We will not discuss the creation of VPC. For VPC creation we can refer to this AWS Documentation
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/gsg_create_vpc.html
Creation of Spoke VPC:
As told earlier, Spoke VPC are those whose traffic has to be filtered through the firewall. You can use your existing VPC or create a new one with tgw-subnet in each availability zone
Now create Inspection VPC
Inspection VPC is in which you will have your Firewall setup.
Inspection VPC will be having subnet name TGW subnet
Now create central Egress VPC
Central Egress VPC will be forwarding your Traffic which is getting filtered from Inspection(Firewall) VPC
Central Egress VPC will have TGW Subnet/Public Subnet
NAT Gateway
Internet Gateway
After setting up Transit Gateway and 3 VPCs we will be moving towards our third step, setup of Firewall
Firewall Setup is easy we will follow bottom to above approach
FIREWALL RULES –> FIREWALL POLICIES —-> FIREWALL
We will first setup Rules
Go to AWS Firewall > Select Firewall Rules
Choose action RULE GROUP TYPE > Forward to stateful groups
Choose Stateful Group Option > DOMAIN LIST
Select Stateful Rule Order > Strict
Now create Rule Groups
Group Name: Opstree
Capacity 10000
List the number of Domains you want to allow
Choose a rule to ALLOW
Traffic to Inspect HTTP/HTTPS
Under Source IP Types: You can also choose Source IPs from where you are allowing the traffic to be going through firewall Here you can enter your VPC Ranges
You can check more info about: AWS Firewall.