Overview
Firewall Automation for Network Traffic on AWS configures the AWS resources needed to filter network traffic. This solution saves you time by automating the process of provisioning a centralized AWS Network Firewall to inspect traffic between your Amazon Virtual Private Clouds (Amazon VPCs).
Benefits
This solution allows you to modify rule groups and firewall policies in the configuration package in the AWS CodeCommit repository. This automatically invokes the AWS CodePipeline to run validation and deployment.
With this solution, you can inspect hundreds or thousands of Amazon VPCs and accounts in one place. You can also centrally configure and manage your AWS Network Firewall, firewall policies, and rule groups.
This solution helps you collaborate and manage the changes to the AWS Network Firewall configuration by using GitOps workflow.
Technical details
The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.
Step 1
AWS CloudFormation template deploys an inspection VPC with a total of four subnets. Two of the subnets are used to create VPC Transit Gateway attachments and the other two subnets are used to create AWS Network Firewall endpoints.
Step 2
AWS CloudFormation template creates a new AWS CodeCommit repository and a network firewall configuration that allows all network traffic by default. This template also includes a set of examples to help you create new rule groups.
Step 3
Modifying the configuration package in the CodeCommit repository invokes the AWS CodePipeline to run the validation and deployment stages.
Step 4
The solution creates Amazon VPC route tables for each availability zone with a default route destination. A shared route table with firewall subnets is also created with the transit gateway ID as the default route destination.
Step 5
The solution also creates two AWS Key Management Service (AWS KMS) encryption keys. One of the keys is used to encrypt objects in the Amazon Simple Storage Service (Amazon S3) artifact, source code buckets, and AWS CodeBuild projects. The second key is used to encrypt the AWS Network Firewall log destinations.
Step 6
AWS Identity and Access Management (IAM) roles are created to grant permissions to AWS CodePipeline and AWS CodeBuild stages to access Amazon S3 buckets and manage AWS Network Firewall resources.
Step 1
AWS CloudFormation template deploys an inspection VPC with a total of four subnets. Two of the subnets are used to create VPC Transit Gateway attachments and the other two subnets are used to create AWS Network Firewall endpoints.
Step 2
AWS CloudFormation template creates a new AWS CodeCommit repository and a network firewall configuration that allows all network traffic by default. This template also includes a set of examples to help you create new rule groups.
Step 3
Modifying the configuration package in the CodeCommit repository invokes the AWS CodePipeline to run the validation and deployment stages.
Step 4
The solution creates Amazon VPC route tables for each availability zone with a default route destination. A shared route table with firewall subnets is also created with the transit gateway ID as the default route destination.
Step 5
The solution also creates two AWS Key Management Service (AWS KMS) encryption keys. One of the keys is used to encrypt objects in the Amazon Simple Storage Service (Amazon S3) artifact, source code buckets, and AWS CodeBuild projects. The second key is used to encrypt the AWS Network Firewall log destinations.
Step 6
AWS Identity and Access Management (IAM) roles are created to grant permissions to AWS CodePipeline and AWS CodeBuild stages to access Amazon S3 buckets and manage AWS Network Firewall resources.