So what were the current Requirements that help me go deep-dive into this?<\/strong><\/h2>\r\n\r\n\r\n\r\n\r\n- We need to block some Public URLs for our egress traffic.<\/li>\r\n\r\n\r\n\r\n
- We want to do so with a managed service.<\/li>\r\n\r\n\r\n\r\n
- It should be quite easy to implement<\/li>\r\n\r\n\r\n\r\n
- No Hustle and Bustle is required for setting and maintaining the firewall<\/li>\r\n\r\n\r\n\r\n
- It should be a centralized Service. Should have control over your multiple accounts. Ex- It would be treated as Single Control Network for multi Accounts<\/li>\r\n<\/ol>\r\n
[ Are you looking: AWS Solutions<\/a>]<\/strong><\/p>\r\n\r\n\r\n\r\nSo, to fulfill all these requirements. The first fully managed service that came to my mind is the AWS firewall.<\/p>\r\n\r\n\r\n\r\n
<\/p>\r\n\r\n\r\n\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2023\/07\/index.png?w=1024\")
<\/figure>\r\n\r\n\r\n\r\nSource<\/a><\/p>\r\n\r\n\r\n\r\nWell, don’t be afraid this document look difficult but quite easy to implement. So let’s start.<\/p>\r\n\r\n\r\n\r\n
Basic Requirements:<\/strong><\/h3>\r\n\r\n\r\n\r\n\r\n- AWS Account<\/li>\r\n\r\n\r\n\r\n
- Basic knowledge of the Creation of VPC and Subnets and EC2 and transit Gateway<\/li>\r\n\r\n\r\n\r\n
- Please read the first Blog Transit Gateway Setup<\/a> on AWS<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
The Diagram has some basic terms:<\/strong><\/h3>\r\n\r\n\r\n\r\n\r\n- Hub VPC<\/strong>: It’s a VPC in which your transit gateway is residing<\/li>\r\n\r\n\r\n\r\n
- Spoke VPC: It’s your VPC that has to be exposed to the firewall<\/li>\r\n\r\n\r\n\r\n
- Availability Zones<\/strong>: It’s your isolated location in which you have made your VPC<\/li>\r\n\r\n\r\n\r\n
- VPC<\/strong>: Virtual Private Cloud<\/a> is like your data-center<\/li>\r\n\r\n\r\n\r\n
- Public\/Private subnet<\/strong>: Public are those which are exposed to Internet and Private are not exposed<\/li>\r\n\r\n\r\n\r\n
- NAT\/Internet gateway: They are just like your routers which help you to connect to the outer world<\/li>\r\n<\/ol>\r\n
[ Check Our Case Study: Migrating from On-Prem to AWS with Enhanced Observability, Security, and Cost Optimization<\/a> ]<\/strong><\/p>\r\n\r\n\r\n\r\nWe will do Implementation in 4 Steps:<\/strong><\/h2>\r\n\r\n\r\n\r\nFirst, we will set up Transit Gateway:<\/em><\/strong><\/p>\r\n\r\n\r\n\r\n\r\n- Click on Create Transit GATEWAY: Select NAME > SELECT DESCRIPTION > CREATE TRANSIT GATEWAY<\/strong><\/li>\r\n\r\n\r\n\r\n
- Now CREATE two ROUTE TABLE :\r\n
\r\n- FIREWALL-ROUTE-TABLE<\/li>\r\n\r\n\r\n\r\n
- SPOKE-ROUTE-TABLE<\/li>\r\n<\/ul>\r\n<\/li>\r\n\r\n\r\n\r\n
- Now Create a TGW attachment for the VPC which you want to peer<\/li>\r\n\r\n\r\n\r\n
- If you want to peer VPC in the different account you just need to share that Transit gateway to a particular Account and create a new attachment from that account<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
[ Also Read: Understanding AWS Cost and Usage Reports (CUR)<\/a> ]<\/strong><\/p>\r\n\r\n\r\n\r\nNow next setup would be configuration of your Hub\/Spoke\/Inspection VPC<\/strong><\/h3>\r\n\r\n\r\n\r\nNote: We will not discuss the creation of VPC. For VPC creation we can refer to this AWS Documentation<\/p>\r\n\r\n\r\n\r\n
https:\/\/docs.aws.amazon.com\/directoryservice\/latest\/admin-guide\/gsg_create_vpc.html<\/p>\r\n\r\n\r\n\r\n
Creation of Spoke VPC:<\/strong><\/h5>\r\n\r\n\r\n\r\nAs told earlier, Spoke VPC are those whose traffic has to be filtered through the firewall. You can use your existing VPC or create a new one with tgw-subnet in each availability zone <\/em><\/p>\r\n\r\n\r\n\r\nNow create Inspection VPC <\/strong><\/h5>\r\n\r\n\r\n\r\nInspection VPC is in which you will have your Firewall setup.<\/p>\r\n\r\n\r\n\r\n
\r\n- Inspection VPC will be having subnet name TGW subnet<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
Now create central Egress VPC<\/strong><\/h5>\r\n\r\n\r\n\r\nCentral Egress VPC will be forwarding your Traffic which is getting filtered from Inspection(Firewall) VPC <\/em><\/p>\r\n\r\n\r\n\r\n\r\n- Central Egress VPC will have TGW Subnet\/Public Subnet<\/li>\r\n\r\n\r\n\r\n
- NAT Gateway<\/li>\r\n\r\n\r\n\r\n
- Internet Gateway<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
After setting up Transit Gateway and 3 VPCs we will be moving towards our third step, setup of Firewall<\/strong><\/h3>\r\n\r\n\r\n\r\nFirewall Setup is easy we will follow bottom to above approach<\/strong><\/p>\r\n\r\n\r\n\r\nFIREWALL RULES –> FIREWALL POLICIES —-> FIREWALL<\/strong><\/p>\r\n\r\n\r\n\r\nWe will first setup Rules<\/strong> <\/em><\/p>\r\n\r\n\r\n\r\n\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2023\/07\/screenshot-2023-07-14-at-2.45.51-pm.png?w=1024\")
<\/figure>\r\n<\/figure>\r\n\r\n\r\n\r\n <\/p>\r\n\r\n\r\n\r\n
\r\n- Go to AWS Firewall > Select Firewall Rules<\/strong><\/li>\r\n\r\n\r\n\r\n
- Choose action RULE GROUP TYPE > Forward to stateful groups<\/strong><\/li>\r\n\r\n\r\n\r\n
- Choose Stateful Group Option > DOMAIN LIST<\/strong><\/li>\r\n\r\n\r\n\r\n
- Select Stateful Rule Order > Strict <\/strong><\/li>\r\n\r\n\r\n\r\n
- Now create Rule Groups<\/em><\/strong>
\r\n\r\n- Group Name: Opstree<\/strong><\/li>\r\n\r\n\r\n\r\n
- Capacity <\/span>10000<\/strong><\/span><\/li>\r\n\r\n\r\n\r\n
- List the number of Domains you want to allow<\/li>\r\n\r\n\r\n\r\n
- Choose a rule to ALLOW<\/strong><\/li>\r\n\r\n\r\n\r\n
- Traffic to Inspect HTTP\/HTTPS<\/strong><\/li>\r\n\r\n\r\n\r\n
- Under Source IP Types: You can also choose Source IPs <\/strong>from where you are allowing the traffic to be going through firewall Here you can enter your VPC Ranges<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
Now Create the firewall Policy<\/strong><\/h3>\r\n\r\n\r\n\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2023\/07\/screenshot-2023-07-14-at-3.09.20-pm.png?w=1024\")
<\/figure>\r\n\r\n\r\n\r\n <\/p>\r\n\r\n\r\n\r\n
\r\n- Select > Firewall Policies<\/strong><\/li>\r\n\r\n\r\n\r\n
- Choose Name > Opstree Firewall<\/strong><\/li>\r\n\r\n\r\n\r\n
- Select > Select Exception policy (Drop)<\/strong><\/li>\r\n\r\n\r\n\r\n
- Select Default Actions<\/strong>\r\n
\r\n- Fragmented packets > Use same actions for all packets<\/strong><\/li>\r\n\r\n\r\n\r\n
- Action > Forward to stateful rule groups<\/strong><\/li>\r\n<\/ul>\r\n<\/li>\r\n\r\n\r\n\r\n
- In stateful rule evaluation\r\n
\r\n- Rule order > Strict<\/strong><\/li>\r\n\r\n\r\n\r\n
- Default Action > Drop established<\/strong><\/li>\r\n\r\n\r\n\r\n
- Now Add Stateful rule group you have created before in firewall rules by the names Opstree<\/strong><\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ol>\r\n
[ Must Read Ebook: Getting Started with Generative AI on AWS<\/a> ]<\/strong><\/p>\r\n\r\n\r\n\r\nNow create the BIG FISH FIREWALL<\/strong><\/h3>\r\n\r\n\r\n\r\n\r\n- Enter the Name > Opstree-Firewall<\/li>\r\n\r\n\r\n\r\n
- Chose your VPC > Inspection VPC<\/li>\r\n\r\n\r\n\r\n
- Choose Firewall Subnets > Select all the three Subnets you have created for Firewall<\/li>\r\n\r\n\r\n\r\n
- Associated Firewall Policy > Select your existing policy <\/strong>> opstree-Firewall<\/strong><\/li>\r\n\r\n\r\n\r\n
- Enable Delete protection<\/strong> and Subnet change protection<\/strong><\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
Now you are all ready to block any Website on your Infrastructure <\/strong><\/h3>\r\n\r\n\r\n\r\nNOTE<\/strong>: Deploying Firewall in different subnet create different VPC endpoints.<\/p>\r\n\r\n\r\n\r\nWe will not go deep Dive into VPC endpoints. It established private endpoint to connect with any AWS service<\/strong><\/a> within that VPC.<\/p>\r\n\r\n\r\n\r\nSo now all the 3 Steps are done Let’s move towards the final step that Adding routes of tgw-id replacing your NAT Id in your spoke VPCs <\/strong><\/p>\r\n\r\n\r\n\r\nWhen you have created TGW in our first step you have got a tgw-id<\/strong> just replace it with the NAT id in your route table of your Spoke VPC subnets<\/p>\r\n\r\n\r\n\r\nNow the Egress traffic flow will be like this in your VPCs. <\/strong><\/h3>\r\n\r\n\r\n\r\n\r\n- Now traffic coming from Spoke VPC will have an entry for Transit gateway id for the traffic 0.0.0.0\/0 in the route tables<\/li>\r\n\r\n\r\n\r\n
- Traffic will be from SPOKE to TRANSIT GATEWAY<\/strong> Spoke VPC Route table<\/strong><\/li>\r\n\r\n\r\n\r\n
- Spoke VPC Route table <\/strong>in Transit Gateway has entry to enter route coming from spoke VPC to Inspection VPC <\/strong><\/li>\r\n\r\n\r\n\r\n
- After traffic is entered into Inspection VPC it now has an entry over the firewall endpoint<\/li>\r\n\r\n\r\n\r\n
- The firewall Endpoint will filter the traffic according to the rules<\/li>\r\n\r\n\r\n\r\n
- Now it will throw back traffic to TGW Firewall TGW Route table<\/li>\r\n\r\n\r\n\r\n
- Now TGW has filtered traffic, Now it will throw traffic to Central Egress VPC<\/li>\r\n\r\n\r\n\r\n
- Where traffic goes to the outer world. Like if you have not allowed xyz.com into your firewall rules. you will not be able to access that into your Instance from where there the traffic is being originated<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
The same can be created for ingress traffic also you just need to add one more VPC Central-ingress VPC<\/strong><\/p>\r\n\r\n\r\n\r\nConclusion<\/h2>\r\n\r\n\r\n\r\n
I hope I could shed some light on the role and importance of the managed service – AWS Firewall<\/a>. If you guys enjoyed reading this and found it insightful do share it amongst your community. Want to give any feedback or suggestions, you can reach out to me. If you have any interesting use-case for AWS Firewall, do share them in the comments section.<\/p>\r\n\r\n\r\n\r\n\r\n\r\n
[ Are you looking: AWS Solutions<\/a>]<\/strong><\/p>\r\n\r\n\r\n\r\n So, to fulfill all these requirements. The first fully managed service that came to my mind is the AWS firewall.<\/p>\r\n\r\n\r\n\r\n <\/p>\r\n\r\n\r\n\r\n Source<\/a><\/p>\r\n\r\n\r\n\r\n Well, don’t be afraid this document look difficult but quite easy to implement. So let’s start.<\/p>\r\n\r\n\r\n\r\n [ Check Our Case Study: Migrating from On-Prem to AWS with Enhanced Observability, Security, and Cost Optimization<\/a> ]<\/strong><\/p>\r\n\r\n\r\n\r\n First, we will set up Transit Gateway:<\/em><\/strong><\/p>\r\n\r\n\r\n\r\n [ Also Read: Understanding AWS Cost and Usage Reports (CUR)<\/a> ]<\/strong><\/p>\r\n\r\n\r\n\r\n Note: We will not discuss the creation of VPC. For VPC creation we can refer to this AWS Documentation<\/p>\r\n\r\n\r\n\r\n https:\/\/docs.aws.amazon.com\/directoryservice\/latest\/admin-guide\/gsg_create_vpc.html<\/p>\r\n\r\n\r\n\r\n As told earlier, Spoke VPC are those whose traffic has to be filtered through the firewall. You can use your existing VPC or create a new one with tgw-subnet in each availability zone <\/em><\/p>\r\n\r\n\r\n\r\n Inspection VPC is in which you will have your Firewall setup.<\/p>\r\n\r\n\r\n\r\n Central Egress VPC will be forwarding your Traffic which is getting filtered from Inspection(Firewall) VPC <\/em><\/p>\r\n\r\n\r\n\r\n Firewall Setup is easy we will follow bottom to above approach<\/strong><\/p>\r\n\r\n\r\n\r\n FIREWALL RULES –> FIREWALL POLICIES —-> FIREWALL<\/strong><\/p>\r\n\r\n\r\n\r\n We will first setup Rules<\/strong> <\/em><\/p>\r\n\r\n\r\n\r\n <\/p>\r\n\r\n\r\n\r\n <\/p>\r\n\r\n\r\n\r\n [ Must Read Ebook: Getting Started with Generative AI on AWS<\/a> ]<\/strong><\/p>\r\n\r\n\r\n\r\n NOTE<\/strong>: Deploying Firewall in different subnet create different VPC endpoints.<\/p>\r\n\r\n\r\n\r\n We will not go deep Dive into VPC endpoints. It established private endpoint to connect with any AWS service<\/strong><\/a> within that VPC.<\/p>\r\n\r\n\r\n\r\n So now all the 3 Steps are done Let’s move towards the final step that Adding routes of tgw-id replacing your NAT Id in your spoke VPCs <\/strong><\/p>\r\n\r\n\r\n\r\n When you have created TGW in our first step you have got a tgw-id<\/strong> just replace it with the NAT id in your route table of your Spoke VPC subnets<\/p>\r\n\r\n\r\n\r\n The same can be created for ingress traffic also you just need to add one more VPC Central-ingress VPC<\/strong><\/p>\r\n\r\n\r\n\r\n I hope I could shed some light on the role and importance of the managed service – AWS Firewall<\/a>. If you guys enjoyed reading this and found it insightful do share it amongst your community. Want to give any feedback or suggestions, you can reach out to me. If you have any interesting use-case for AWS Firewall, do share them in the comments section.<\/p>\r\n\r\n\r\n\r\n\r\n\r\n<\/figure>\r\n\r\n\r\n\r\nBasic Requirements:<\/strong><\/h3>\r\n\r\n\r\n\r\n
\r\n
The Diagram has some basic terms:<\/strong><\/h3>\r\n\r\n\r\n\r\n
\r\n
We will do Implementation in 4 Steps:<\/strong><\/h2>\r\n\r\n\r\n\r\n
\r\n
\r\n
Now next setup would be configuration of your Hub\/Spoke\/Inspection VPC<\/strong><\/h3>\r\n\r\n\r\n\r\n
Creation of Spoke VPC:<\/strong><\/h5>\r\n\r\n\r\n\r\n
Now create Inspection VPC <\/strong><\/h5>\r\n\r\n\r\n\r\n
\r\n
Now create central Egress VPC<\/strong><\/h5>\r\n\r\n\r\n\r\n
\r\n
After setting up Transit Gateway and 3 VPCs we will be moving towards our third step, setup of Firewall<\/strong><\/h3>\r\n\r\n\r\n\r\n
<\/figure>\r\n<\/figure>\r\n\r\n\r\n\r\n\r\n
\r\n\r\n
Now Create the firewall Policy<\/strong><\/h3>\r\n\r\n\r\n\r\n
<\/figure>\r\n\r\n\r\n\r\n\r\n
\r\n
\r\n
Now create the BIG FISH FIREWALL<\/strong><\/h3>\r\n\r\n\r\n\r\n
\r\n
Now you are all ready to block any Website on your Infrastructure <\/strong><\/h3>\r\n\r\n\r\n\r\n
Now the Egress traffic flow will be like this in your VPCs. <\/strong><\/h3>\r\n\r\n\r\n\r\n
\r\n
Conclusion<\/h2>\r\n\r\n\r\n\r\n