Mystique Unicorn App is looking to deploy a firewall that should allow or drop traffic based on customizable rules. The team is looking for your help to achieve this. Can you help them?
Up until very recently, network prevention has been quite limited,
- Create Security Groups to limit various types of layer 3 and 4 traffic
- or Create Network Access Control Lists (NACL) to limit layer 3 and 4 traffic
- or Route traffic through a custom network appliance running as an EC2 instance
This is not enough in many use-cases, You also want the ability to take action based on the payload. The recently launched AWS Network Firewall1 provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. AWS Network Firewall also offers web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names. At launch you have the following capabilities.
- Allow or Deny based on source IP and/or port, destination IP and/or port, and protocol (also known as 5-tuple)
- Allow or Deny based upon domain names
- Allow or Deny based upon Suricata-compatible IPS rules
In this demo, We will build a architecture, similar to the one shown above. We will start backwards so that all the dependencies are satisfied.
-
This demo, instructions, scripts and cloudformation template is designed to be run in
us-east-1
. With few modifications you can try it out in other regions as well(Not covered here).- 🛠 AWS CLI Installed & Configured - Get help here
- 🛠 AWS CDK Installed & Configured - Get help here
- 🛠 Python Packages, Change the below commands to suit your OS, the following is written for amzn linux 2
- Python3 -
yum install -y python3
- Python Pip -
yum install -y python-pip
- Virtualenv -
pip3 install virtualenv
- Python3 -
-
-
Get the application code
git clone https://github.com/miztiik/url-filtering-with-nw-firewall cd url-filtering-with-nw-firewall
-
-
We will use
cdk
to make our deployments easier. Lets go ahead and install the necessary components.# You should have npm pre-installed # If you DONT have cdk installed npm install -g aws-cdk # Make sure you in root directory python3 -m venv .venv source .venv/bin/activate pip3 install -r requirements.txt
The very first time you deploy an AWS CDK app into an environment (account/region), you’ll need to install a
bootstrap stack
, Otherwise just go ahead and deploy usingcdk deploy
.cdk bootstrap cdk ls # Follow on screen prompts
You should see an output of the available stacks,
url-filtering-with-nw-firewall-vpc-stack url-filtering-with-nw-firewall-stack secured-workload-on-ec2-stack
-
Let us walk through each of the stacks,
-
Stack: url-filtering-with-nw-firewall-vpc-stack
This stack will create an custom VPC to host our firewall and test workload.
Initiate the deployment with the following command,
cdk deploy url-filtering-with-nw-firewall-vpc-stack
-
Stack: url-filtering-with-nw-firewall-stack
This stack will the network firewall in the firewall subnet. We will do create stateful rules as they offer better control. We will forward all stateless traffic to through the stateful rules. This way all traffic flow through our rule set.
This stack will create
3
rules,ALLOW-For-Domains
- This rule will allows traffic only to these two domains"aws.com", "google.com"
from the workloads in the VPC.DENY-For-Domains
- This rule will denies traffic to these two domains".example.com",".modi-am-i.com"
from the workloads in the VPC.DENY-On-Url
- Any traffic to with textdeny_test
in the url will be denied. NOTE: - This rule is not attached to the firewall, we will later add this during our testing phase.
Initiate the deployment with the following command,
cdk deploy url-filtering-with-nw-firewall-stack
After successfully deploying the stack, Check the
Outputs
section of the stack. You will find theNetworkFirewallEndpoints
that does traffic routing between subnets. -
Stack: secured-workload-on-ec2-stack
This stack deploys a simple EC2 instance that also runs a webserver with two webpages - One for
/
page anddeny_test
page. You can also login to the instance using SSM Session Manager2.Initiate the deployment with the following command,
cdk deploy secured-workload-on-ec2-stack
After successfully deploying the stack, Check the
Outputs
section of the stack. You will find thePublicWorkloadInstance
instance id and theWebServerUrl
.
-
-
- Use the
WebServerUrl
from the previous stack on your browser. You should be able to access the/
page and also thedeny_test
page. Make sure to usehttp
and nothttps
as the webserver is not configured with any certificates. For examplehttp://34.232.95.57
andhttp://34.232.95.57/deny_test
- Now login to the EC2 instance using SSM Session Manager2
- Try to access the allowed and denied domains
curl aws.com curl google.com curl example.com
You will notice that the first two requests were successful, whereas the last two were blocked by the firewall. Now let try to add the
DENY-On-Url
to our firewall.- Goto VPC Service > Network Firewalls >
url-filtering-with-nw-firewall-stack
- Under Stateful rule groups > Add rule groups > Add stateful rule groups to the firewall policy
- Select
DENY-On-Url
> Add stateful rule group
Now try to access the
deny_test
page in your browser, preferably in private mode to avoid fetching locally cached page, Your request should time outNow lets check our logs to see why our traffic was blocked. You can notice that the request does matches our deny FQDN rule and the traffic was blocked.
If you poke around the logs, you will also find the logs for deny_test url. This request has the custom error message that we added in the deny rule -
Miztiik drop tcp traffic
- Use the
-
Here we have demonstrated how to use network firewall to allow of deny request based on the domain names. The firewall also gives us the ability to deny request to unsecure urls as well.
-
If you want to destroy all the resources created by the stack, Execute the below command to delete the stack, or you can delete the stack from console as well
- Resources created during Deploying The Application
- Delete CloudWatch Lambda LogGroups
- Any other custom resources, you have created for this demo
# Delete from cdk cdk destroy # Follow any on-screen prompts # Delete the CF Stack, If you used cloudformation to deploy the stack. aws cloudformation delete-stack \ --stack-name "MiztiikAutomationStack" \ --region "${AWS_REGION}"
This is not an exhaustive list, please carry out other necessary steps as maybe applicable to your needs.
This repository aims to show how to use network firewall to new developers, Solution Architects & Ops Engineers in AWS. Based on that knowledge these Udemy course #1, course #2 helps you build complete architecture in AWS.
Thank you for your interest in contributing to our project. Whether it is a bug report, new feature, correction, or additional documentation or solutions, we greatly value feedback and contributions from our community. Start here
Buy me a coffee ☕.
Level: 300