AWS Network Firewall Cheat Sheet

• A managed service that helps deploy network protections for Amazon VPCs.

• Provides fine-grained network traffic control that allows you to restrict outbound requests to prevent malicious activity from spreading.

• Import previously created rules in common open source rule formats and enable integrations with managed intelligence feeds from AWS partners.

• With AWS Firewall Manager, you can create policies based on AWS Network Firewall rules and then apply those policies centrally across your VPCs and accounts.

Features

• Automatically scales firewall capacity up or down based on the traffic load.

• Supports inbound and outbound web filtering for unencrypted web traffic

• The intrusion prevention system matches network traffic patterns to known threat signatures based on attributes.

• Centrally deploy and manage security policies across AWS Organizations apps, VPCs, and accounts.

Concepts

• Firewall

  • A traffic filtering logic for VPC subnets.

  • The firewall configuration provides the parameters for the Availability Zones and subnets in which the firewall endpoints are located.

  • Changes to stateful rules are applied only to new traffic flows, while stateless rules are applied to all network packets.

  • You can create, update and delete a firewall as long as you have the required permissions.

  • Supports delete protection to prevent accidental deletion.

• Firewall policies

  • It defines the rules and other settings that will be used by a firewall to filter incoming and outgoing traffic in a VPC.

  • You can associate a firewall policy with one or more firewalls.

  • Supports one or more stateless and stateful rule groups.

  • Stateless default actions handle a packet or UDP packet fragment that doesn’t match any of the rules in the stateless rule groups

  • Stateful default actions handle a packet that doesn’t match any of the stateful rule groups’ rules.

  • Stateful engine options hold stateful rule order settings. The configuration of RuleOrder can only be done during the creation of the policy.

• Rule groups

  • A set of rules to match against VPC traffic and actions to do when a match is discovered.

  • You can create a custom rule group or use the one that is managed by AWS.

  • The categories of rule groups are stateless and stateful.

• A designated subnet for a firewall endpoint is called a firewall subnet.

• A stateless rule examines a single network traffic packet without taking into account the context of other packets.

• While the inspection of network traffic packets in the context of their traffic flow is referred to as stateful rules.

• The regional endpoint where you will make requests to reduce data latency in your applications:

  • https://network-firewall.<region>.amazonaws.com

• A firewall policy or rule group’s owner can share a resource with AWS Organizations:

  • AWS accounts within or outside of its organization

  • Organizational unit

  • Entire organization

AWS Network Firewall Monitoring

• You can use the following monitoring tools with Network Firewall:

  • Amazon CloudWatch

  • Amazon CloudWatch Logs

  • AWS CloudTrail

  • AWS Config

• Firewall logging is only available for traffic that you route to the stateful rules engine. Traffic is forwarded to the stateful engine via stateless rule actions and default actions.

• Using a stateful engine, you can record flow logs and alert logs.

  • Flow logs – standard network traffic flow logs.

  • Alert logs – report traffic that matches your stateful rules.

• Logs contain the following information:

  • firewall_name 

  • availability_zone

  • event_timestamp

  • Event

• You can configure the destinations of your logs to various AWS services:

  • Amazon S3

  • CloudWatch Logs

  • Data Firehose

• If your log destination uses SSE-KMS and you’re using a KMS key, you must add a key policy to the KMS key for your chosen destination to allow firewall logging to the destination.

• Supports tagging for firewalls, firewall policies, and rule groups.

AWS Network Firewall Pricing

• You are charged at an hourly rate for each firewall endpoint.

• You are charged for the amount of traffic, billed by the gigabyte, processed by the firewall endpoint.

• Data transferred across the AWS Network Firewall incur standard AWS data transfer fees.

• For each hour that your firewall endpoint is provisioned, there is no hourly charge for NAT Gateway.

• To avoid NAT gateway data processing charges, set up a gateway VPC endpoint and route traffic to and from S3 via the VPC endpoint rather than a NAT gateway. There are no data processing or hourly charges for using gateway VPC endpoints.

AWS Network Firewall Cheat Sheet References:

https://aws.amazon.com/network-firewall/