Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Using AWS Fiewall with AWS NLB

0

Hi All,

I've a requirement to protect resources behind an internet exposed NLB[EIP attached] using AWS Firewall. My NLB is in a public subnet, instances in a private subnet, attached to the NLB using a target group.

I need to allow traffic coming from specific third party public IPs to my backend instances behind the NLB[which is public]. In this scenario, my firewall subnet first filter incoming traffic, then forward to my NLB and NLB distributes the load between the EC2 instances which are part of my target group.

My query is - will my approach work as I described above? Yet to touch console to implement this. Any references would be helpful.

Thanks in advance SVen

Argomenti
Sicurezza, identità e conformitàNetworking e distribuzione di contenuti
Tag
Firewall di rete AWSNetworking e distribuzione di contenutiEquilibratore di carico rete
Lingua
English
SVen
posta 8 mesi fa1573 visualizzazioni
5 Risposte
0
Risposta accettata

Yes, this it should work, see below blog. You can use IGW Ingress routing to insert AWS Network Firewall between IGW and NLB.

https://aws.amazon.com/blogs/networking-and-content-delivery/design-your-firewall-deployment-for-internet-ingress-traffic-flows/

profile pictureAWS
ESPERTO
Tushar_J
con risposta 8 mesi fa
0

Seems the approach is to make sure to consider the following step. Virtual Private Cloud (VPC) set up with the necessary public and private subnets. Go to the AWS Firewall Manager console and create a new firewall. Define your firewall rules to allow traffic only from specific third-party public IPs. Configure the rule group associated with your firewall to allow traffic to your NLB's IP. Links for further help https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html

Waseem
con risposta 8 mesi fa
  • SVen
    8 mesi fa

    Thank you, this article really helped me a lot.

0

Thank you, let me try this on console tomorrow, will come back if I face any issues. Then I need to automate this. Have a great weekend.

SVen
con risposta 8 mesi fa
0

Consider also that NLB now supports security groups: https://aws.amazon.com/about-aws/whats-new/2023/08/network-load-balancer-supports-security-groups/

profile picture
ESPERTO
Antonio_Lagrotteria
con risposta 8 mesi fa
0

Thanks for your suggestions.

this approached really worked - except one issue we are struggling to resolve. We placed an FTP solution[a linux VM placed in a private subnet, protected by an NLB in a public subnet attached with EIP, incoming traffic protected using AWS FW, NLB attached with an EIP, for business partners can connect from internet].

Here the issue is, secured FTP worked on port 22, but we need to access the FTP service on port 21 as well. 21 port on this Linux VM, accepting the connection, connection succeeds, but not able to retrieve the directories. There are two target groups created, one listening on 22 and another listening on 21 - both these ports are on the same single linux VM, successfully operating on 22, but 21 still failing.

Any pointers to resolve this would be of great help.

Thanks SVen

SVen
con risposta 8 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente