How do I set up an AWS Network Firewall with a NAT gateway?

7 minute read

I want to configure my AWS Network Firewall to inspect traffic using a NAT gateway.

Short description

AWS Network Firewall provides more granular control over traffic to and from the resources inside your Amazon Virtual Private Cloud (Amazon VPC). To protect your Amazon VPC resources, you can deploy your Network Firewall endpoints in their own subnets and route the workload instance traffic through them. This can be done by:

  • Creating a VPC
  • Creating a firewall
  • Configuring the traffic routing

Note: Network Firewall cannot inspect workloads in the same subnet where the firewall endpoints are deployed.


Creating a VPC

  1. Open the Amazon VPC console.
  2. On the VPC dashboard, click Create VPC.
  3. Under VPC settings, enter the following:
    Choose VPC and more.
    Under Name tag auto-generation, enter a name for the VPC. For this example, the VPC is named Protected_VPC_10.0.0.0_16-vpc. If the Auto-generate option is selected, the name will be added as a name tag to all resources in the VPC.
    For IPv4 CIDR block, enter
    For IPv6 CIDR block, choose No IPv6 CIDR block.
    For Tenancy, choose Default.
    For Number of Availability Zones (AZs), choose 2.
    Under Customize AZs, choose two Availability Zones. For this example, us-east-2a and us-east-2b are selected.
    For Number of public subnets, choose 2.
    For Number of private subnets, choose 4. Two of the private subnets are for the firewall and two are for the workload subnets.
    For NAT gateways ($), choose 1 per AZ. The NAT gateways are deployed in the public subnets automatically.
    For VPC endpoints, choose None.
  4. Choose Create VPC.
  5. Name the subnets according to their purpose:
    The two public subnets are for the NAT gateways and are named Public_Subnet_AZa and Public_Subnet_AZb for this example.
    For the private subnets, two are for the firewall endpoints and are named Firewall_Subnet_AZa and Firewall_Subnet_AZb for this example.
    The other two private subnets are for the workload endpoints and are named Private_Subnet_AZa and Private_Subnet_AZb for this example.

Create a firewall

  1. On the navigation pane, under Network Firewall, choose Firewalls.
  2. Choose Create firewall.
  3. Under Create firewall, enter the following:
    Enter a name for the firewall. For this example, the firewall is named Network-Firewall-Test.
    For VPC, choose Protected_VPC_10.0.0.0_16-vpc.
    For Firewall subnets, choose the first Availability Zone (us-east-2a) and choose Firewall_Subnet_AZa for the subnet. Then, choose Add new subnet and repeat for the second Availability Zone (us-east-2b) and choose Firewall_Subnet_AZb for the subnet.
    For Associated firewall policy, choose Create and associate an empty firewall policy.
    For New firewall policy name, enter a name for the new policy.
  4. Choose Create firewall. Each subnet must have a unique routing table. The four private subnets have a unique routing table associated with it, while the public subnets share a routing table. You must create a new routing table with a static route to an internet gateway and associate it to one of the public subnets.

Configure the traffic routing

The traffic flows as follows:

  • Traffic initiated from workload instance in AZa is forwarded to firewall endpoint in AZa.
  • The firewall endpoint in AZa will route the traffic to the NAT gateway in AZa.
  • NAT gateway in AZa forwards the traffic to the internet gateway associated with the VPC.
  • The internet gateway forwards the traffic out to the internet.

The reverse traffic follows the same path in the opposite direction:

  • Return traffic from the internet reaches the internet gateway attached to the VPC. There can only be one internet gateway attached to a VPC.
  • The internet gateway forwards the traffic to the NAT gateway in AZa. The internet gateway makes this decision based on the workload Availability Zone. Because the destination of the traffic is in AZa, the internet gateway picks the NAT gateway in AZa to forward the traffic. There is no need to maintain a route table for internet gateway.
  • The NAT gateway in AZa forward the traffic to the firewall endpoint in AZa.
  • The firewall endpoint in AZa forward the traffic to the workload in AZa.

Note: Internet gateways can identify the NAT gateway for packets returning from the internet to the workload instances.

After creating the VPC and firewall, you must configure the routing tables. When configuring the routing tables, keep the following in mind:

  • The private subnet in AZa (Private_Subnet_AZa) forwards all traffic destined to the internet to the firewall endpoint in AZa (Firewall_Subnet_AZa). This is repeated with the private subnet in AZb and the firewall endpoint in AZb.
  • The firewall subnet in AZa (Firewall_Subnet_AZa) forwards all traffic destined to the internet to a NAT gateway in AZa ( Public_Subnet_AZa). This is repeated with the firewall subnet in AZb and the NAT gateway in AZb.
  • The public subnet in AZa (Public_Subnet_AZa) forwards all traffic to the internet gateway attached to the VPC.
  • Return traffic follows the same path in reverse.

Note: Traffic is kept in the same Availability Zone so that the network firewall has both the egress and ingress traffic route through the same firewall endpoint. This allows the firewall endpoints in each Availability Zone to make stateful inspections of the packets.

The following are example configurations of the routing tables:

Public_Subnet_RouteTable_AZa (Subnet association: Public_Subnet_AZa)

DestinationTarget gateway endpoint in AZa

Note: In this example, is the CIDR of Private_Subnet_AZa.

Public_Subnet_RouteTable_AZb (Subnet association: Public_Subnet_AZb)

DestinationTarget gateway endpoint in AZb

Note: In this example, is the CIDR of Private_Subnet_AZb.

Firewall_Subnet_RouteTable_AZa (Subnet association: Firewall_Subnet_AZa)

DestinationTarget gateway in Public_Subnet_AZa

Firewall_Subnet_RouteTable_AZb (Subnet association: Firewall_Subnet_AZb)

DestinationTarget gateway in Public_Subnet_AZb

Private_Subnet_RouteTable_AZa (Subnet association: Private_Subnet_AZa)

DestinationTarget endpoint in AZa

Private_Subnet_RouteTable_AZb (Subnet association: Private_Subnet_AZb)

DestinationTarget endpoint in AZb

To verify if your routing was configured correctly, you can deploy an EC2 instance in one of your private subnets to test your internet connectivity. Without any rules configured in the network firewall policy, traffic will not be inspected and can reach the internet. After confirming your routing, security group, and network access control lists (network ACLs) are configured, add rules to your firewall policy.

Note: You can also set up Network Firewall to route traffic from the internet through the firewall, then the NAT gateway. For more information, see Architecture with an internet gateway and a NAT gateway.

Related information

Logging and monitoring in AWS Network Firewall

Route table concepts

Deployment models for AWS Network Firewall with VPC routing enhancements

AWS OFFICIALUpdated a year ago