How do I configure my Network Firewall rules to block or allow specific domains?
I want to filter outbound web traffic from resources in my Amazon Virtual Cloud (Amazon VPC) using AWS Network Firewall.
Short description
Network Firewall policies and rule groups are defined by their rule evaluation order, having either default action order or strict evaluation order. A firewall policy configured for default action order evaluates rules in the following order: pass, drop, reject, and alert. The stateful default action for a default policy is pass.
With strict evaluation order, rule groups are evaluated in order of priority from lowest to highest. Rules within a group are then evaluated in the order that they are configured as. The stateful default action for a strict order policy is configurable, such as configuring Drop established. Default rule groups are associated with default action order policies, while strict order rule groups are associated with strict evaluation order policies.
You can configure Network Firewall to allow or block access to specific domains. This can be done for policies or rules using either default action order or strict evaluation order by using one of the following:
- Stateful domain list rule group
- Suricata compatible IPS rules
Stateful domain name inspection can be configured for HTTP and HTTPS protocols. For HTTP, the request is unencrypted and allows Network Firewall to see the hostname value in the HTTP host header. For HTTPS, Network Firewall uses the Server Name Indication (SNI) extension in the TLS handshake to determine the hostname. The firewall then compares the hostname (or domain name) against the configured HTTP or TLS rules.
With a domain allowlist, the firewall passes HTTP or HTTPS requests only to specified domains. Requests to all other domains are dropped.
Resolution
Default action order
For policies with default action order, configure a domain list rule group to allow HTTP and HTTPS requests to specific domains.
1. Open the Amazon VPC console.
3. In the navigation pane, under Network Firewall, choose Firewall policies.
4. Choose the default action order firewall policy that you want to edit.
5. Under Stateful rule groups, choose Actions, and then choose Create stateful rule group.
6. Enter a unique rule group name.
7. For Capacity reservation, enter an estimated number of domains that the list will include. This value can't be changed after the rule group is created.
8. For Stateful rule group options, choose Domain list.
Note: Stateful rule order can't be changed because it's inherited from the policy. The Rule order appears as Default.
9. Under Domain list, for Domain name source, enter the domain names that you want to match. Domains can be defined as an exact match, such as abc.example.com. They can also be defined as a wildcard, such as .example.com.
10. For Source IPs type, choose Default if the source IP exists in the same VPC as the firewall. Choose Defined if the source IP exists in a remote VPC. When choosing Defined, enter the source subnets that you want the firewall to inspect under Source IP CIDR ranges.
11. For Protocols, select HTTP and HTTPS.
12. For Action, choose Allow.
13. Choose Create and add to policy.
To manually define Suricata compatible IPS rules for HTTP and HTTPS, configure a default action order Suricata compatible IPS rule in the rule group.
1. Open the Amazon VPC console.
3. In the navigation pane, under Network Firewall, choose Firewall policies.
4. Choose the default action order firewall policy that you want to edit.
5. Under Stateful rule groups, choose Actions, then choose Create stateful rule group.
6. Enter a unique rule group Name.
7. For Capacity reservation, enter an estimated number of rules that the list will include. This value can't be changed after the rule group is created.
8. For Stateful rule group options, choose Suricata compatible IPS rules.
Note: Stateful rule order can't be changed because it's inherited from the policy. The Rule order appears as Default.
9. (Optional) Define custom Rule variables for use in the Suricata signatures.
10. (Optional) Define IP set references for use in the Suricata signatures.
11. Under Suricata compatible IPS rules, enter the following rules. Change the domains to the specific domains that you want to address.
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;) pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"example.com"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:2; rev:1;) pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".amazonaws.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;) pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:4; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET any (http.header_names; content:"|0d 0a|"; startswith; msg:"not matching any HTTP allowlisted FQDNs"; flow:to_server, established; sid:5; rev:1;) drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; flow:to_server, established; sid:6; rev:1;)
12. Choose Create and add to policy.
Note: The established flow keyword is commonly used in domain rules, but it might not account for all out of flow packet exchange edge cases. Before using any example rule listing, test the rule to verify that it works as expected.
Strict evaluation order
For policies with strict evaluation order, configure a domain list rule group to allow HTTP and HTTPS requests to specific domains.
1. Open the Amazon VPC console.
3. In the navigation pane, under Network Firewall, choose Firewall policies.
4. Choose the strict evaluation order firewall policy that you want to edit.
5. Under Stateful rule groups, choose Actions, then choose Create stateful rule group.
6. Enter a unique rule group Name.
7. For Capacity reservation, enter an estimated number of domains the list will include. This value can't be changed after the rule group is created.
8. For Stateful rule group options, choose Domain list.
Note: Stateful rule order can't be changed because it's inherited from the policy. The Rule order appears as Strict.
9. Under Domain list, for Domain name source, enter the domain names that you want to match. Domains can be defined as an exact match, such as abc.example.com. They can also be defined as a wildcard, such as .example.com.
10. For Source IPs type, choose Default if the source IP exists in the same VPC as the firewall. Choose Defined if the source IP exists in a remote VPC. When choosing Defined, enter the source subnets that you want the firewall to inspect under Source IP CIDR ranges.
11. For Protocols, choose HTTP and HTTPS.
12. For Action, choose Allow.
13. Choose Create and add to policy.
14. In the navigation pane, under Network Firewall, choose Firewall policies.
15. Choose the strict order policy that you added this rule group to.
16. For Stateful rule evaluation order and default actions, choose Edit.
17. For Default actions, choose Drop established. Then, choose Save.
To manually define Suricata compatible IPS rules for HTTP and HTTPS, configure a strict evaluation order Suricata compatible IPS rule in the rule group.
1. Open the Amazon VPC console.
3. In the navigation pane, under Network Firewall, choose Firewall policies.
4. Choose the strict evaluation order firewall policy that you want to edit.
5. Under Stateful rule groups, choose Actions, then choose Create stateful rule group.
6. Enter a unique rule group Name.
7. For Capacity reservation, enter an estimated number of rules that the list will include. This value can't be changed after the rule group is created.
8. For Stateful rule group options, choose Suricata compatible IPS rules.
Note: Stateful rule order can't be changed because it's inherited from the policy. The Rule order appears as Strict.
9. (Optional) Define custom Rule variables for use in the Suricata signatures that you define.
10. (Optional) Define IP set references for use in the Suricata signatures that you define.
11. Under Suricata compatible IPS rules, enter the following rules. Change the domains to the specific domains that you want to address.
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;) pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"example.com"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:2; rev:1;) pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".amazonaws.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;) pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:4; rev:1;)
12. Choose Create and add to policy.
13. In the navigation pane, under Network Firewall, choose Firewall policies.
14. Choose the strict order policy that you added this rule group to.
15. For Stateful rule evaluation order and default actions, choose Edit.
16. For Default actions, choose Drop established. Then, choose Save.
Note: The established flow keyword is commonly used in domain rules, but it might not account for all out of flow packet exchange edge cases. Before using any example rule listing, test the rule to verify that it works as expected.
Verification
You can verify that the domains are handled correctly based off your configurations by running test commands to the specified domains.
In the following example, the domain https://example.com is allowed and a 200 OK response is returned to the client:
curl -v --silent https://example.com --stderr - | grep 200 < HTTP/2 200
In the following example, the HTTP domain http://www.google.com is blocked:
curl -v http://www.google.com * Trying 172.253.115.99:80... * Connected to www.google.com (http://www.google.com/) (172.253.115.99) port 80 (#0) > GET / HTTP/1.1 > Host: www.google.com (http://www.google.com/) > User-Agent: curl/7.79.1 > Accept: /
In the following example, the HTTPS domain https://www.google.com is blocked:
curl -v https://www.google.com * Trying 172.253.115.147:443... * Connected to www.google.com (http://www.google.com/) (172.253.115.147) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1):
Related information
Firewall policies in Network Firewall
Relevant content
asked 2 years ago- asked a year ago
- asked 2 years ago
- asked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
