How do I set up an AWS Network Firewall with a NAT gateway?

Short description

AWS Network Firewall provides granular control over traffic to and from the resources inside your Amazon Virtual Private Cloud (Amazon VPC). To protect your Amazon VPC resources, deploy your Network Firewall endpoints in dedicated subnets and route workload instance traffic through them. Complete the following tasks:

• Create a VPC
• Create a firewall
• Configure the traffic routing

Resolution

Create a VPC

1. Open the Amazon VPC console.
2. On the VPC dashboard, choose Create VPC.
3. Under VPC settings, configure the following options:
   For Resources to create, choose VPC and more.
   For Name tag auto-generation, enter a name for the VPC. For this example, the VPC is named Protected_VPC_10.0.0.0_16-vpc. When the Auto-generate option is selected, the name is added as a name tag to all resources in the VPC.
   For IPv4 CIDR block, enter [IP_ADDRESS].
   For IPv6 CIDR block, choose No IPv6 CIDR block.
   For Tenancy, choose Default.
   For Number of Availability Zones (AZs), choose 2.
   Under Customize AZs, choose two Availability Zones. For this example, us-east-2a and us-east-2b are selected.
   For Number of public subnets, choose 2.
   For Number of private subnets, choose 4. Two of the private subnets are for the firewall endpoints and two are for the workload subnets.
   For NAT gateways ($), choose 1 per AZ. The NAT gateways deploy in the public subnets automatically.
   For VPC endpoints, choose None.
4. Choose Create VPC.
5. Name the subnets according to their purpose.

Note: Network Firewall can't inspect workloads in the same subnet where the firewall endpoints are deployed.

For this example:

• The two public subnets are for the NAT gateways and are named Public_Subnet_AZa and Public_Subnet_AZb.
• Two of the private subnets are for the firewall endpoints and are named Firewall_Subnet_AZa and Firewall_Subnet_AZb.
• The other two private subnets are for the workload instances and are named Private_Subnet_AZa and Private_Subnet_AZb.

Create a firewall

1. In the navigation pane, under Network Firewall, choose Firewalls.
2. Choose Create firewall.
3. Under Create firewall, configure the following options:
   For Name, enter a name for the firewall. For this example, the firewall is named Network-Firewall-Test.
   For VPC, choose Protected_VPC_10.0.0.0_16-vpc.
   For Firewall subnets, choose the first Availability Zone (us-east-2a), choose Firewall_Subnet_AZa for the subnet, and choose IPv4 for the IP address type. Then choose Add new subnet and repeat for the second Availability Zone (us-east-2b), choosing Firewall_Subnet_AZb for the subnet and IPv4 for the IP address type. Choose Next.
4. Under Configure advanced settings - optional, keep the default settings. Choose Next.
5. For Associated firewall policy, choose Create and associate an empty firewall policy. For New firewall policy name, enter a name for the new policy. Choose Next.
6. Add tags (optional).
7. Choose Next, review the configuration, and choose Create firewall.

Note: Each subnet must have a unique route table. The four private subnets each have a unique route table associated with them, and the public subnets share a route table. Create a new route table with a static route to an internet gateway and associate it with one of the public subnets.

Configure the traffic routing

Outbound traffic flows in the following order:

1. Traffic from a workload instance in AZa forwards to the firewall endpoint in AZa.
2. The firewall endpoint in AZa routes the traffic to the NAT gateway in AZa.
3. The NAT gateway in AZa forwards the traffic to the internet gateway attached to the VPC.
4. The internet gateway forwards the traffic to the internet.

Return traffic follows the same path in reverse:

1. Return traffic from the internet reaches the internet gateway attached to the VPC. Only one internet gateway can be attached to a VPC.
2. The internet gateway forwards the traffic to the NAT gateway in AZa. The internet gateway makes this decision based on the workload Availability Zone. Because the destination of the traffic is in AZa, the internet gateway selects the NAT gateway in AZa. No separate route table for the internet gateway is required.
3. The NAT gateway subnet in AZa forwards the traffic to the firewall endpoint in AZa to maintain symmetric routing.
4. The firewall endpoint in AZa forwards the traffic to the workload in AZa.

Note: Traffic stays within the same Availability Zone so that the firewall endpoint has both egress and ingress traffic routed through it. This allows the firewall endpoints in each Availability Zone to perform stateful inspections of the packets.

After you create the VPC and firewall, configure the route tables. Keep the following in mind:

• Private_Subnet_AZa forwards all internet-bound traffic to the firewall endpoint in AZa (Firewall_Subnet_AZa). Repeat this for Private_Subnet_AZb and the firewall endpoint in AZb.
• Firewall_Subnet_AZa forwards all internet-bound traffic to the NAT gateway in AZa (Public_Subnet_AZa). Repeat this for Firewall_Subnet_AZb and the NAT gateway in AZb.
• Public_Subnet_AZa forwards all internet-bound traffic to the internet gateway attached to the VPC.
• Return traffic follows the same path in reverse.

The following are example route table configurations:

Public_Subnet_RouteTable_AZa (Subnet association: Public_Subnet_AZa)

Destination	Target
0.0.0.0/0	Internet gateway
[IP_ADDRESS]	Local
10.0.128.0/20	Firewall endpoint in AZa

Note: In this example, 10.0.128.0/20 is the CIDR of Private_Subnet_AZa.

Public_Subnet_RouteTable_AZb (Subnet association: Public_Subnet_AZb)

Destination	Target
0.0.0.0/0	Internet gateway
[IP_ADDRESS]	Local
10.0.16.0/20	Firewall endpoint in AZb

Note: In this example, 10.0.16.0/20 is the CIDR of Private_Subnet_AZb.

Firewall_Subnet_RouteTable_AZa (Subnet association: Firewall_Subnet_AZa)

Destination	Target
0.0.0.0/0	NAT gateway in Public_Subnet_AZa
[IP_ADDRESS]	Local

Firewall_Subnet_RouteTable_AZb (Subnet association: Firewall_Subnet_AZb)

Destination	Target
0.0.0.0/0	NAT gateway in Public_Subnet_AZb
[IP_ADDRESS]	Local

Private_Subnet_RouteTable_AZa (Subnet association: Private_Subnet_AZa)

Destination	Target
0.0.0.0/0	Firewall endpoint in AZa
[IP_ADDRESS]	Local

Private_Subnet_RouteTable_AZb (Subnet association: Private_Subnet_AZb)

Destination	Target
0.0.0.0/0	Firewall endpoint in AZb
[IP_ADDRESS]	Local

To verify that your routing is configured correctly, deploy an Amazon Elastic Compute Cloud (Amazon EC2) instance in one of your private subnets to test internet connectivity. Without any rules configured in the firewall policy, traffic is not inspected and can reach the internet. After you confirm that your routing, security group, and network access control lists (network ACLs) are configured correctly, add rules to your firewall policy.

Note: You can also set up Network Firewall to route traffic from the internet through the firewall, then the NAT gateway. For more information, see Architecture with an internet gateway and a NAT gateway using AWS Network Firewall.

Related information

Route table concepts

Deployment models for AWS Network Firewall

VPC route table configuration for AWS Network Firewall

Avoiding asymmetric routing with AWS Network Firewall