Mystique Unicorn App is looking to deploy a firewall that should allow or drop traffic based on customizable rules. The team is looking for your help to achieve this. Can you help them?

Up until very recently, network prevention has been quite limited,

• Create Security Groups to limit various types of layer 3 and 4 traffic
• or Create Network Access Control Lists (NACL) to limit layer 3 and 4 traffic
• or Route traffic through a custom network appliance running as an EC2 instance

This is not enough in many use-cases, You also want the ability to take action based on the payload. The recently launched AWS Network Firewall^{1 provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. AWS Network Firewall also offers web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names. At launch you have the following capabilities.}

• Allow or Deny based on source IP and/or port, destination IP and/or port, and protocol (also known as 5-tuple)
• Allow or Deny based upon domain names
• Allow or Deny based upon Suricata-compatible IPS rules

In this demo, We will build a architecture, similar to the one shown above. We will start backwards so that all the dependencies are satisfied.

1. 🧰 Prerequisites

   This demo, instructions, scripts and cloudformation template is designed to be run in us-east-1. With few modifications you can try it out in other regions as well(Not covered here).

   • 🛠 AWS CLI Installed & Configured - Get help here
   • 🛠 AWS CDK Installed & Configured - Get help here
   • 🛠 Python Packages, Change the below commands to suit your OS, the following is written for amzn linux 2
     • Python3 - yum install -y python3
     • Python Pip - yum install -y python-pip
     • Virtualenv - pip3 install virtualenv

2. ⚙️ Setting up the environment

   • Get the application code

     git clone https://github.com/miztiik/url-filtering-with-nw-firewall
     cd url-filtering-with-nw-firewall

3. 🚀 Prepare the dev environment to run AWS CDK

   We will use cdk to make our deployments easier. Lets go ahead and install the necessary components.

   # You should have npm pre-installed
   # If you DONT have cdk installed
   npm install -g aws-cdk
   
   # Make sure you in root directory
   python3 -m venv .venv
   source .venv/bin/activate
   pip3 install -r requirements.txt

   The very first time you deploy an AWS CDK app into an environment (account/region), you’ll need to install a bootstrap stack, Otherwise just go ahead and deploy using cdk deploy.

   cdk bootstrap
   cdk ls
   # Follow on screen prompts

   You should see an output of the available stacks,

   url-filtering-with-nw-firewall-vpc-stack
   url-filtering-with-nw-firewall-stack
   secured-workload-on-ec2-stack

4. 🚀 Deploying the application

   Let us walk through each of the stacks,

   • Stack: url-filtering-with-nw-firewall-vpc-stack

     This stack will create an custom VPC to host our firewall and test workload.

     Initiate the deployment with the following command,

     cdk deploy url-filtering-with-nw-firewall-vpc-stack

   • Stack: url-filtering-with-nw-firewall-stack

     This stack will the network firewall in the firewall subnet. We will do create stateful rules as they offer better control. We will forward all stateless traffic to through the stateful rules. This way all traffic flow through our rule set.

     This stack will create 3 rules,

     • ALLOW-For-Domains - This rule will allows traffic only to these two domains"aws.com", "google.com" from the workloads in the VPC.
     • DENY-For-Domains - This rule will denies traffic to these two domains".example.com",".modi-am-i.com" from the workloads in the VPC.
     • DENY-On-Url - Any traffic to with text deny_test in the url will be denied. NOTE: - This rule is not attached to the firewall, we will later add this during our testing phase.

     Initiate the deployment with the following command,

     cdk deploy url-filtering-with-nw-firewall-stack

     After successfully deploying the stack, Check the Outputs section of the stack. You will find the NetworkFirewallEndpoints that does traffic routing between subnets.

   • Stack: secured-workload-on-ec2-stack

     This stack deploys a simple EC2 instance that also runs a webserver with two webpages - One for / page and deny_test page. You can also login to the instance using SSM Session Manager^2.

     Initiate the deployment with the following command,

     cdk deploy secured-workload-on-ec2-stack

     After successfully deploying the stack, Check the Outputs section of the stack. You will find the PublicWorkloadInstance instance id and the WebServerUrl.

5. 🔬 Testing the solution

   • Use the WebServerUrl from the previous stack on your browser. You should be able to access the / page and also the deny_test page. Make sure to use http and not https as the webserver is not configured with any certificates. For example http://34.232.95.57 and http://34.232.95.57/deny_test

   

   

   • Now login to the EC2 instance using SSM Session Manager²
   • Try to access the allowed and denied domains

   curl aws.com
   curl google.com
   curl example.com

   

   You will notice that the first two requests were successful, whereas the last two were blocked by the firewall. Now let try to add the DENY-On-Url to our firewall.

   • Goto VPC Service > Network Firewalls > url-filtering-with-nw-firewall-stack
   • Under Stateful rule groups > Add rule groups > Add stateful rule groups to the firewall policy
   • Select DENY-On-Url > Add stateful rule group

   Now try to access the deny_test page in your browser, preferably in private mode to avoid fetching locally cached page, Your request should time out

   

   Now lets check our logs to see why our traffic was blocked. You can notice that the request does matches our deny FQDN rule and the traffic was blocked.

   If you poke around the logs, you will also find the logs for deny_test url. This request has the custom error message that we added in the deny rule - Miztiik drop tcp traffic

6. 📒 Conclusion

   Here we have demonstrated how to use network firewall to allow of deny request based on the domain names. The firewall also gives us the ability to deny request to unsecure urls as well.

7. 🧹 CleanUp

   If you want to destroy all the resources created by the stack, Execute the below command to delete the stack, or you can delete the stack from console as well

   • Resources created during Deploying The Application
   • Delete CloudWatch Lambda LogGroups
   • Any other custom resources, you have created for this demo

   # Delete from cdk
   cdk destroy
   
   # Follow any on-screen prompts
   
   # Delete the CF Stack, If you used cloudformation to deploy the stack.
   aws cloudformation delete-stack \
     --stack-name "MiztiikAutomationStack" \
     --region "${AWS_REGION}"

   This is not an exhaustive list, please carry out other necessary steps as maybe applicable to your needs.

This repository aims to show how to use network firewall to new developers, Solution Architects & Ops Engineers in AWS. Based on that knowledge these Udemy course #1, course #2 helps you build complete architecture in AWS.

Thank you for your interest in contributing to our project. Whether it is a bug report, new feature, correction, or additional documentation or solutions, we greatly value feedback and contributions from our community. Start here

Buy me a coffee ☕.

1. Docs: AWS Network Firewall

2. Docs: AWS SSM Session Managerhttps://aws.amazon.com/network-firewall

Level: 300