AWS Network Firewall is a stateful managed network firewall and intrusion detection and prevention service designed for the Amazon Virtual Private Cloud (Amazon VPC). This article focuses on automating rule updates in a central Network Firewall using distributed firewall configurations. For those unfamiliar with Network Firewall or looking for a technical overview of rule management, check out AWS Network Firewall – New Managed Firewall Service in VPC.
There are three deployment models offered by Network Firewall: Distributed, centralized, and combined. Many customers opt for the centralized model to reduce costs. In this model, the responsibility for managing rulesets is delegated to the owners of the VPC infrastructure (spoke accounts), allowing flexibility and accountability for the spoke accounts. Managing rulesets in a shared firewall policy generated from distributed input configurations presents challenges without proper input validation, state-management, and request throttling controls.
This post demonstrates how to automate firewall rule management within the central firewall using distributed firewall configurations across multiple AWS accounts. The functionality provided by the anfw-automate solution includes input validation, state-management, and throttling controls, significantly reducing update time for firewall rule changes from minutes to seconds. This solution also decreases operational costs related to rule management overhead and seamlessly integrates with existing continuous integration and continuous delivery (CI/CD) processes.
To follow along with this solution, certain prerequisites must be met, including having basic knowledge of networking concepts, YAML and JSON configuration formats, Suricata Rule Format, and CDK deployment. AWS Identity and Access Management (IAM) permissions are required to bootstrap AWS accounts using AWS CDK, and establishing a connection between the firewall VPC in the central account and spoke accounts is necessary for the centralized deployment model.
The article outlines a detailed solution description, walkthrough, and steps for deployment, validation, and cleaning up after testing. By combining distributed ANFW firewall configurations in a centralized policy, this solution streamlines network security, automates rule management, and empowers central security teams to enforce global firewall rules while allowing user-defined rulesets. Additionally, integration with GitHub Actions and AWS Network Firewall logs can enhance automation and security monitoring capabilities.
This solution provides a practical approach to simplifying network security and enabling real-time response to critical security incidents. By incorporating automated rule management into existing CI/CD pipelines and leveraging AWS Network Firewall logs for security information and event management, organizations can enhance their security posture and reduce response times to security events. Feedback and questions can be submitted to AWS Support or shared in the comments section.
