Using the AWS Network Firewall for centralized ingress
In this architecture, ingress traffic is inspected by AWS Network Firewall before reaching the rest of the VPCs. In this setup, traffic is split among all firewall endpoints deployed in the Edge VPC. You deploy a public subnet between the firewall endpoint and the Transit Gateway subnet. You can use an ALB or NLB, which contain IP targets in your spoke VPCs while handling Auto Scaling for targets behind them.
To simplify deployment and management of AWS Network Firewall in this model, AWS Firewall Manager can be used. Firewall Manager allows you to
centrally administer your different firewalls by automatically applying protection you create
in the centralized location to multiple accounts. Firewall Manager supports both distributed and centralized
deployment models for Network Firewall. The blog post
How
to deploy AWS Network Firewall by using AWS Firewall Manager
Deep Packet Inspection (DPI) with AWS Network Firewall
Network Firewall can perform deep packet inspection (DPI) on ingress traffic. Using a Transport
Layer Security (TLS) certificate stored in AWS Certificate Manager (ACM), Network Firewall can
decrypt packets, perform DPI, and re-encrypt packets. There are a few considerations for setting up DPI
with Network Firewall. First, a trusted TLS certificate must be stored in ACM. Second, Network Firewall
rules must be configured to correctly send packets for decryption
and re-encryption. Refer to the blog post
TLS
inspection configuration for encrypted traffic and AWS Network Firewall
Key considerations for AWS Network Firewall in a centralized ingress architecture
-
Elastic Load Balancing in Edge VPC can only have IP addresses as target types, not a hostname. In the preceding figure, the targets are the private IPs of the Network Load Balancer in spoke VPCs. Using IP targets behind the ELB in the edge VPC results in the loss of Auto Scaling.
-
Consider using AWS Firewall Manager as a single pane of glass for your firewall endpoints.
-
This deployment model uses traffic inspection right as it enters the edge VPC, so it has the potential to reduce the overall cost of your inspection architecture.