This repository contains terraform code to deploy a single VPC with inspection using AWS Network Firewall. Stateful rule groups use Strict Rule Ordering, and the end goal of this example is to show how you can log both ALLOWED and DENIED traffic in the same destination directly from Network Firewall - CloudWatch logs is used in this example.
The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.
- An AWS account with an IAM user with the appropriate permissions
- Terraform installed
- Writing DRY (Do No Repeat Yourself) code using a modular design pattern
- Clone the repository
- Edit the variables.tf file in the project root directory. This file contains the variables that are used to configure environment.
- Initialize Terraform using
terraform init - Deploy the template using
terraform apply
Note: The default number of Availability Zones to use is 1, although you can change this number in the input variables to a maximum number of 3. To follow best practices, each resource - EC2 instance, NAT Gateway, SSM endpoints, and Network Firewall endpoint - will be created in each Availability Zone. Keep this in mind to avoid extra costs unless you are happy to deploy more resources and accept additional costs.
The AWS Network Firewall Policy is defined in the policy.tf file in the firewall directory. The firewall policy is configured to use Strict Rule Ordering with "Alert All" and "Drop All" as default actions. 3 rules groups are configured:
- One stateless rule group denying any SSH or RDP communication.
- Two stateful rule groups: one allowing ICMP communication, and another one allowing communication with the domains "example.com" and ".amazon.com".
All the pass actions are duplicated with alert ones first. That way the alert rule generates first the log (ALLOWED) and later the pass rule allows the communication. As per the default actions, other communication will be DENIED and logged in the same destination (ALERT flow log).
- VPC Flow Logs are configured and sent to a CloudWatch Log group. Amazon S3 and Amazon Kinesis Firehose can also be used as a logging destination.
- AWS Network firewall logs are also configured - both ALERT and FLOW - to respective AWS Cloudwatch Log Groups. Amazon S3 or Amazon Kinesis Firehose can also be used as a logging destination.
- AWS Reference Architecture - Inspection Deployment Models with AWS Network Firewall.
- AWS Documentation - Evaluation order for stateful rule groups
Remember to clean up after your work is complete. You can do that by doing terraform destroy.
Note that this command will delete all the resources previously created by Terraform.
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.
| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| aws | >= 4.28.0 |
| Name | Version |
|---|---|
| aws | 4.59.0 |
| Name | Source | Version |
|---|---|---|
| network_firewall | aws-ia/networkfirewall/aws | 0.1.1 |
| vpc | aws-ia/vpc/aws | 4.0.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_region | AWS Region to create the environment. | string |
"eu-west-1" |
no |
| cidr_block | VPC's CIDR block. | string |
"10.0.0.0/24" |
no |
| identifier | Project Name, used as identifer when creating resources. | string |
"anfw-strict-rule" |
no |
| instance_type | Instance type of the instances created. | string |
"t2.micro" |
no |
| number_azs | Number of Availability Zones to create resources in the VPC. | number |
1 |
no |
| subnet_cidr_blocks | Subnet CIDR blocks. | map(list(string)) |
{ |
no |
| vpcflowlog_type | The type of traffic to log in VPC Flow Logs. | string |
"ALL" |
no |
No outputs.