AWS Network firewall

its a pleasure, thanks for your feedback. glad to hear its a helpful video

Thank you. Glad you liked it .your subscriptions is all l need to keep going

Glad it was helpful!

My greatest pleasure. l also learnt good stuff today.

Thank you for the positive feedback

Thank you Khan

Good to hear, thank you

I am glad to hear your feedback ,my aim is to demystify and share technology

Thanks for watching ,Glad to hear the clip was helpful

its a pleasure ,thanks

Good to hear the video was helpful. Thank you for your support ,your subscriptions are valuable

Thank you

thanks for the encouragement

Gweta

Hello ,Thank you for your question ,I will give you a picture of how i would personally approach your use case. first i will create a subnet in the same AZ as the firewall subnet and in that subnet I will then associate a route table which directs 0.0.0.0/0 towards the firewall end point ,next is step is to create a VPC attachment for this firewall VPC and make sure you select the newly created subnet on the Firewall VPC attachment creation process, Hence when you create a route 0.0.0.0/0 on Transit Gateway (TGW) route table to send default traffic to firewall VPC attachment it will then direct it to the firewall endpoint. From the customer subnets the route 0.0.0.0/0 sends traffic to the TGW. Hope this will help ,feel free to check with me if not clear enough. This is the same concept when you deploy an inline third-party firewall or send traffic from multiple VPCs via a single exit pint like a Nat gateway.

You can also have a look at this aws public link ,i think it can help on the flow : aws.amazon.com/blogs/networking-and-content-delivery/creating-a-single-internet-exit-point-from-multiple-vpcs-using-aws-transit-gateway/

Hello ,Thanks for reaching out to me . Please note that the AWS Network Firewall is powered by the AWS Gateway loadBalancer behind the scene and its not you who set this endpoints up but AWS process does it for you since this is a managed service. after you create the AWS Network firewall you go search under endpoints and should see a gateway loadbalancer endpoints whose ID's you can use as next hop for your routing .adding the next hop use using the ENI or endpoint ID has the same effect .You do not need to create an endpoints as you mentioned ,all you do is to provision the firewall and that will do endpoints for you.

@@tendaimusonza9547 Stupid me! Now the Endpoint popped up after I created the firewall. The order of setting up I did for my other VPC was wrong; Subnet/RTB > Firewall instead of Firewall > Subnet/RTB. Tysm for the clarification nonetheless.

@user-ie9nb5nt6b Glad you are sorted ,thanks for the feedback

@@tendaimusonza9547 Also, an additional question - I am used to Cisco Firewall stateful way of listing permitted ports/traffic on the top and just ending it with deny tcp any any to ensure other than eg. 5 permitted ports/traffic allowed, the others will be denied.
However in AWS case for Stateful rules, the rule groups get rather confusing as first, only 3 rules are allowed in each group and secondly I then have to group the ports accordingly. So in each group, do I have to put tcp deny any any? And in my case the only egress and ingress traffic I am allowing is only email-related ports (25, 465, 587) and internet access to websites. No SSH,RDP, FTP, etc. allowed in or out as only my email server resides in public subnet. Other than these, the other communications are between EC2s in the private subnets (other than needing to go internet via NAT Gateway), communications to Managed AD and SSM which I don't think is required to be put in Network Firewall as its internal communications. How would you then suggest I implement my rules/rule groups?
Sorry for the very long question. Tried to read AWS documentations, but it ain't that helpful to me. Appreciate any help you can give. Thank you.

Glad you found the demo helpful. Thank you for your support

@@tendaimusonza9547 thanks a lot! I had a small question, Tendai. I wish to do east-west traffic inspection. I have a transit gateway in us-east-1. And I have multiple VPCs from different accounts (all in us-east-1) connecting into the TGW. The workloads in the spoke (customer) VPCs are in different AZs. So in the inspection VPC, do I create the firewall in just 1 subnet or in all subnets? or just in 2 subnets for HA. Asking, also because I will be charged for every endpoint that is created by the Firewall.
I referred to this - aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
but it does not mention about this point.
Thank you in advance for your help!

@@bhakta_rg Thanks ,great question and keeps us learning. Well ,since a transit gateway is in use here there is no need to create a firewall in each and every subnet but instead create in one subnet per each AZ for redundancy. Take note that a transit gateway will also have one subnet associated with it per each AZ hence an interface per AZ which can route traffic to any of the multiple subnets in that particular AZ. e.g if you have 2 AZ's then create in 2 subnets one from each availability zone for redundancy and with 3 AZ's also create in in 3 subnets even if you might have more than 3 subnets in total as long as each AZ has one subnet selected . Hope this gives you some clarity.

@@tendaimusonza9547 thanks a lot Tendai!! Understood, so though I don't need to create the Firewall endpoints in all AZs, I should do it anyways for redundancy. Thanks again for your help..much appreciated! God bless you

@@bhakta_rg Thats correct ,only for redundancy , in other words if you create in one AZ it will still work since the TGW can push traffic via that single subnet in an AZ unless a failure happens in that particular AZ.

Thanks ,I also did one on checkpoint: ruclips.net/video/2Q3BbCWIyaY/видео.html

Hello Tendai, Thank you for your prompt response. Actually i need your help on one of my lab, it would be great if you can help me. i would like to access ec2 instance (having private IP address) sitting behind any firewall (check point, fortigate) from outside word (internet) , we will have to perform destination nat on firewall so that users which are sitting on internet can access my ec2 instance through Check Point firewall. i tried to do that but i failed.

@@kdkapildhamija ,you may connect with me on Linkeldn then we can make a plan

Hi Yoominbi ,thanks for reaching out ,my suggestion is that if you do not have available subnet ranges for these extra ones required you can extend your VPC with a secondary CIDR rather than destroying your setup , checkout this link aws.amazon.com/about-aws/whats-new/2017/08/amazon-virtual-private-cloud-vpc-now-allows-customers-to-expand-their-existing-vpcs/ . hope you will find this handy.

​​@@tendaimusonza9547 Thanks for the prompt reply! So if I have available subnets that can be used (as current VPC only using 10.x.x.x subnet), I do not need to destroy my current setup? Then how do you suggest I proceed - Create a new Firewall subnet, change the RTB to point existing IGW to Firewall Subnet, etc. ? (ie. play around with RTB)

@@yoominbi exactly that should work

Thank you for the contribution .its only a getting started demo showing how to setup the infrastructure for those new to the service .Just like any firewall you will choose what you want to allow and not to allow

Hi ,you may also want to protect instances without public addresses with a firewall in cases where communication is over over VPN or AWS direct connect ,in such cases you edge association will need to use a Virtual private Gateway (VGW) instead of an internet Gateway ,incases where the private subnets communicate via a transit gateway the firewall can also be used to filter traffic between VPCs .Hopefully this clarifies your question. have a look at some deployment models from AWS documentation: aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

@@tendaimusonza9547 Thank you for your reply. I will look into this.

@@bogski Always a pleasure

Hello Jerri ,
- 'Forward' matches packets whose origination matches the rule's source settings (ie. The source IP addresses, CIDR address ranges to inspect for and source port/port range) and whose destination matches the rule's destination setting (ie. dest IP, CIDR Range, dest. port/port range).
- 'Any' matches the forward match, and also matches packets whose origination matches the rule's destination settings, and whose destination matches the rule's source settings (ie. The source IP addresses, CIDR address ranges to inspect for and source port/port range). Note that AWS Network firewall rules are compatible with Suricata and follows the same rules for this ,see : Link : suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#direction

Thank you, that's a great question ,I have noted that it is possible to associated both the VGW and the IGW at the same time with the same ingress routable and also on your firewall subnet route table you can then point the route back to the correct hop (IGW or VGW) and assuming your DX and VPN are on using a VGW then normal route preference takes place e.g if both DX and VPN are UP then DX becomes a more favorable path than VPN . Although in theory this looks more of a working solution i would also want to do a practical test to be pretty sure no unexpected behavior as I have not seen an official document on it. I will be glad to share my results. will keep you posted.

Hello Chandan ,Good news for you ,I managed to simulate your use case and worked perfect ,just also remember you cannot use route propagation for your VGW since you have to force return traffic via the security device. if you use route propagation the connection fails.

​@@tendaimusonza9547
Thank you very much for the great video. I would appreciate you if you can share a demo with site-to-site VPN including AWS network firewall implementation.
Could you please mention which subnets are associated with the IGW-RTB route table, since I am struggling with some configurations related to that?
Thank you.

@@asirisam .IGW-RTB must not be associated with any subnet since it controls traffic from the internet gateway ,see loo at 3:35 of the video. just create it and do not explicitly associate it with any subnet.

its only a pleasure , you are welcome Robson

i can assist if you have a specific questions , Kindly note that i only share info here and there voluntarily and not a full time youtuber. its just to help people for free and not for a fee . feedback much appreciated

Hello, in my opinion the behavior is not the same since the Network firewall allows all traffic by default if you do not put a deny rule. you may test that .whilst security groups have a deny by default hence l am not quite sure what the statement implies.