Using the AWS Network Firewall for centralized ingress - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

Using the AWS Network Firewall for centralized ingress

In this architecture, ingress traffic is inspected by AWS Network Firewall before reaching the rest of the VPCs. In this setup, traffic is split among all firewall endpoints deployed in the Edge VPC. You deploy a public subnet between the firewall endpoint and the Transit Gateway subnet. You can use an ALB or NLB, which contain IP targets in your spoke VPCs while handling Auto Scaling for targets behind them.

A diagram depicting ingress traffic inspection using AWS Network Firewall

Ingress traffic inspection using AWS Network Firewall

To simplify deployment and management of AWS Network Firewall in this model, AWS Firewall Manager can be used. Firewall Manager allows you to centrally administer your different firewalls by automatically applying protection you create in the centralized location to multiple accounts. Firewall Manager supports both distributed and centralized deployment models for Network Firewall. The blog post How to deploy AWS Network Firewall by using AWS Firewall Manager provides more details on the model.

Deep Packet Inspection (DPI) with AWS Network Firewall

Network Firewall can perform deep packet inspection (DPI) on ingress traffic. Using a Transport Layer Security (TLS) certificate stored in AWS Certificate Manager (ACM), Network Firewall can decrypt packets, perform DPI, and re-encrypt packets. There are a few considerations for setting up DPI with Network Firewall. First, a trusted TLS certificate must be stored in ACM. Second, Network Firewall rules must be configured to correctly send packets for decryption and re-encryption. Refer to the blog post TLS inspection configuration for encrypted traffic and AWS Network Firewall for more details.

Key considerations for AWS Network Firewall in a centralized ingress architecture

  • Elastic Load Balancing in Edge VPC can only have IP addresses as target types, not a hostname. In the preceding figure, the targets are the private IPs of the Network Load Balancer in spoke VPCs. Using IP targets behind the ELB in the edge VPC results in the loss of Auto Scaling.

  • Consider using AWS Firewall Manager as a single pane of glass for your firewall endpoints.

  • This deployment model uses traffic inspection right as it enters the edge VPC, so it has the potential to reduce the overall cost of your inspection architecture.