Tuesday, November 18, 2025

AWS Network Protection | Overview.


AWS Network Protection - Overview.

Scope:

  • Core Objective of AWS Network Protection,
  • Key AWS Services for Network Protection,
  • Traffic Flow Through AWS Network Protection,
  • Stateful vs Stateless Rules in Network Firewall,
  • Logging & Visibility (How AWS enables full observability),
  • Threat Intelligence Integration,
  • Recommended Architecture for Enterprise Network Protection (High-level flow),
  • Advanced Considerations.

1. Core Objective of AWS Network Protection

    •  AWS Network Protection is all about securing twtech cloud network from external and internal threats, by ensuring traffic visibility
    •  AWS Network Protection also involves enabling a fine-grained control over network flows.
    •  AWS Network Protection combines:
      • Perimeter defenses
      • Internal segmentation 
      • Threat intelligence.

Key goals:

    • Prevent unauthorized access from internet to VPC (north-south traffic)
    • Control internal network segmentation within VPC (east-west traffic)
    • Detect and mitigate attacks (DDoS, malware, malicious IPs)
    • Centralize logging and monitoring for compliance / forensic purposes

2. Key AWS Services for Network Protection (Breakdown by purpose):

Purpose

AWS Service

Role in Network Protection

Perimeter Firewall

AWS Network Firewall.

Stateful & stateless filtering, intrusion prevention, rule groups

Managed DDoS Protection

AWS Shield (Standard & Advanced).

Automatic protection against volumetric and protocol attacks

Web Application Firewall

AWS WAF.

Layer 7 protection, custom rules, bot mitigation

Route-level control

AWS Route 53 Resolver DNS Firewall.

Prevents DNS-based exfiltration or command-and-control traffic

Traffic inspection

VPC Traffic Mirroring.

Capture traffic for inspection in IDS/IPS solutions

Threat Intelligence

AWS GuardDuty / Threat Intel Feeds.

Detect anomalous traffic patterns, malware, and compromised instances

Monitoring & Logging

CloudWatch, CloudTrail, VPC Flow Logs, S3.

Centralized logging, alerting, and auditing

3. Traffic Flow Through AWS Network Protection

  • Traffic flows can be divided into north-south (internet VPC) and east-west (within VPCs):

A. North-South Traffic

1.     Internet VPC

    •    Hits AWS Network Firewall or NAT Gateway
    •    Firewall applies stateless rules (fast packet-level filtering)
    •    Stateful rules inspect session-aware flows
    •    Threat intelligence lists block malicious IPs/domains
    •    Traffic goes to load balancers (if applicable) EC2/ECS/EKS

2.     VPC Internet

    • Firewall ensures outbound traffic is allowed only to approved destinations
    • DNS Firewall prevents communication with malicious domains

B. East-West Traffic

    • Segmentation via subnets, security groups, NACLs
    • Optional Network Firewall in inspection VPCs for deep traffic inspection
    • Traffic Mirroring can capture suspicious flows to IDS/IPS

4. Stateful vs Stateless Rules in Network Firewall

Feature

Stateless

Stateful

Packet inspection

Per-packet.

Full session/connection awareness

Rule complexity

Simple allow/deny.

Complex inspection, regex, IP sets

Use case

High-speed filtering, port/IP allowlists.

Intrusion detection, protocol anomaly detection

Sample

Block all traffic from known bad IPs.

Allow only HTTP sessions with proper TCP handshake

5. Logging & Visibility (How AWS enables full observability):

    • VPC Flow Logs – network flow metadata
    • Network Firewall logs – alert, flow, and rule match logs
    • CloudWatch – metrics & alarms (e.g., denied packets, allowed traffic)
    • S3 or Kinesis Firehose – central log aggregation
    • GuardDuty findings – anomalies like port scanning or C2 connections

6. Threat Intelligence Integration

    • AWS Network Firewall can integrate third-party threat intel feeds
    • GuardDuty automatically leverages AWS-managed threat intelligence
    • Samples: 
      • block IPs from known botnets, 
      • malware command servers, 
      • The Onion Router (TOR) exit nodes

7. Recommended Architecture for Enterprise Network Protection (High-level flow)

NB:

    • The above architecture provides:
      • Layered protection
      • prevention (firewalls) 
      • Detection (GuardDuty, flow logs).

8. Advanced Considerations

    •   Multi-region deployments – replicate firewall rules and logging for global traffic
    •  Automation – integrate with AWS Config, Lambda, or CloudFormation for auto-remediation
    •  Zero Trust Networking – combine Network Firewall + PrivateLink + Service Control Policies
    •  Integration with SIEM – feed CloudWatch and GuardDuty findings into SIEM tools like Splunk or Sumo Logic.





at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...