Cloud Network Security with AWS Network Firewall

There are multiple providers working in segregated AWS workloads and VPCs, connected into one co-ordinated network topology. While teams are given guidance on best practice for network security, the customer wishes to have a centralised control.

The individual engineers from the disparate providers have differing levels of experience and competency with configuring AWS. Modis’ deep experience means that accepting default values in certain environments and with certain managed services is sometimes not adequate. Despite offering these recommendations, the individual providers did not follow these recommendations, so centralised control appears desirable.

With more workloads starting to migrate, the desire to have egress filtering in place rapidly was growing.

The Objectives

After deep discussions with the customer’s security and governance teams, we resolved the following split of traffic:

Ingress web traffic would enter into production workloads from the Internet; a public-facing Application Load Balancer with Web Application Firewall and an Amazon Certificate Manager (ACM) certificate would be the external presentation layer, with a strict cipher configuration.

These ALBs would be in Public subnets in the same VPC (and same AWS account) as the required Target Group and EC2 instances, permitting the entire configuration to be in one (set of) CloudFormation templates, and not breaking the CI/CD boundary across accounts.

The Strategy

The initial strategy was to permit only the desired outbound network traffic based upon the previous requirements spreadsheet.

All egress traffic from instances residing in private subnets would be routed via Transit gateway to a centralised Packet Inspection VPC, and a Network Load Balancer would funnel traffic to a managed 3rd party firewall appliance running on a fleet of Ec2 instances.

Modis dug in and challenged the desire to filter traffic, with a few limited exceptions. With an initial requirement for permitting outbound HTTP and HTTPS traffic, we pushed the customer to answer the question: why do you want to do unencrypted HTTP from your production environment to external services across the untrusted Internet? We resolved to raise the bar and drop support for unencrypted HTTP egress traffic. We also sought to ensure that HTTPS traffic (currently TCP port 443) would be validated to contain TLS traffic (no break in inspection was required).

The end service is a scalable managed service ensuring that service issues and maintenance updates are consumed as-a-service. The cost is around one-third of the previously estimated third-party firewalling (and without the customer managed software upgrade process).

With this solution in place, private subnets across the enterprise can request resources, appear in a central log, and be reviewed and monitored.

Rules can be added to the Network Firewall by way of CloudFormation updates and any changes can be detected via CloudFormation drift and stack update times.

About Modis

Modis has been an AWS partner since 2013 and operates an AWS practice in multiple countries worldwide. Visit aws.modis.com to find out more what we have been doing around AWS Cloud Migrations, Analytics, Well-Architected workload reviews, Serverless applications, and much more.