Tuesday, November 18, 2025

AWS Network Firewall | Overview.


An Overview of AWS Network Firewall (NFW),

 Scope:

  •        Architecture,
  •        Features,
  •        Traffic flow,
  •        Advanced configurations.

Breakdown:

  •        Overview of AWS Network Firewall,
  •        Key Concepts,
  •        Traffic Flow in AWS Network Firewall,
  •        Stateful vs Stateless Rules,
  •        Advanced Use Cases,
  •        Architectural Diagram (Text Version),
  •        Best Practices.

1. Overview of AWS Network Firewall

AWS Network Firewall is a managed, stateful network firewall service for VPCs. It provides:

  •         Layer 3–7 protections (IP, port, protocol, domain, HTTP/S, DNS)
  •         Stateful inspection (keeps track of connection state)
  •         Stateless rules (fast, simple filtering for high-volume traffic)
  •         Integration with threat intelligence feeds
  •         Centralized logging to CloudWatch, Kinesis, or S3
  •         Fine-grained controls to meet regulatory and security requirements

It’s typically used in:

  •         Perimeter defense (ingress/egress filtering)
  •         East-West traffic control (between VPCs or subnets)
  •         Advanced security enforcement (blocking malicious domains, intrusion prevention, or specific protocols)

2. Key Concepts

a) Firewalls and Rule Groups

 Firewall: The main resource. Each firewall has:

o   A VPC association (can be multiple VPCs via Transit Gateway)

o   Subnets for firewall endpoints (one per Availability Zone)

  Rule Groups: Logical collections of rules.

o   Stateless rule groups: High-performance, evaluated before stateful rules.

§  Sample: simple IP allow/deny, port filtering

o   Stateful rule groups: Maintain connection state.

§  Sample: allow HTTP responses for previously allowed requests

   Rule Group Types:

  •    Suricata compatible for stateful inspection (IDS/IPS-like)
  •    Domain list inspection
  •    IP set matching
  •    Custom rules

b) Logging

  •         Firewall logs capture:
    •    Alert logs (intrusion/blocked events)
    •    Flow logs (accepted/denied traffic)
    •    DNAT/SNAT logs for stateful inspection
  •         Log destinations:
    •    Amazon S3
    •    CloudWatch Logs
    •    Kinesis Data Firehose for downstream processing

c) Threat Intelligence Integration

  •         twtech can ingest threat intelligence feeds:
    •    IP blacklists/whitelists
    •    Malicious domain lists
  •         AWS NFW can automatically block or alert on known malicious traffic.

3. Traffic Flow in AWS Network Firewall

Here’s a typical flow for ingress traffic (from the internet):

Internet  Internet Gateway  VPC Route Table  Firewall Endpoint  Firewall Rules

Detailed steps:

1.     Traffic enters via Internet Gateway (IGW)

2.     Routed to firewall endpoints in AZ subnets (NFW creates ENIs)

3.     Stateless rules evaluated first

o   Drop or forward traffic

4.     Stateful rules evaluated

o   Connection state tracked

o   Can allow return traffic without re-evaluation

5.     Traffic forwarded to destination subnet

6.     Logging captures flow/alerts

NB:

For egress traffic, the path is similar but reversed.

Important:

  • NFW is deployed inline with routing, meaning twtech needs route table entries pointing to the firewall endpoint for traffic inspection.

4. Stateful vs Stateless Rules

Feature

       Stateful

     Stateless

Connection Tracking

Yes

No

Directional Enforcement

Both inbound & outbound

Single-packet evaluation

Performance

Moderate

High

Use Case

Complex protocol inspection, IDS/IPS

High-speed filtering, IP blocks

Samples

Allow HTTP responses for established sessions

Block traffic from IP ranges

5. Advanced Use Cases

1.     East-West Traffic Filtering

  •    Inspect traffic between application subnets
  •    Enforce micro-segmentation

2.     DNS Filtering

  •    Stateful rules with domain list inspection
  •    Block known malicious domains

3.     Intrusion Detection

  •    Suricata-compatible rules for pattern matching

4.     Centralized Logging and SIEM Integration

  •    Feed alerts into Splunk, ELK, or Security Hub

5.     Integration with AWS Transit Gateway

  •    Scale firewall across multiple VPCs
  •    Centralize egress/ingress protection

6. Architectural Diagram (Text Version)

Optional:

 Transit Gateway Integration for multi-VPC deployments.

7. Best Practices

  •         Deploy in all AZs for high availability
  •         Use stateless rules for high-volume IP blocks
  •         Stateful rules for application-level inspection
  •         Enable logging for compliance and alerting
  •         Integrate threat intelligence feeds regularly
  •         Test in staging before deploying to production
  •         Monitor firewall metrics with CloudWatch

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...