Is there an API call I can make to multiple VPCs that will return the network firewalls associated with it?

0

I'm in progress of creating a custom config rule.

I need to confirm upon creation of VPCs (doesn't have to be immediate) that there's a Network Firewall attached to the VPC.

However, the issue is when I review the AWS documentation for boto3/cli calls to the API here https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpcs.html

The describe-vpcs method doesn't return the Network Firewalls. I see that the describe-firewalls action does; however, I'm wondering if there's a way to call an API to determine if there's a network firewall associated with a vpc fro ma vpc standpoint. Example, listing all vpcs in account and metadata within them that INCLUDES the network firewall.

If there's no way then at least I know there's no better solution. But I want to confirm this before moving on to network-firewall api call;as

2개 답변
0

One option is to use the describe-vpc-endpoints call with these filters:

vpc-endpoint-type = GatewayLoadBalancer
vpc-id = <The ID of the VPC you want to check>
tag = Name=AWSNetworkFirewallManaged,Values=true

If you get a result, it means there's an AWS Network Firewall in the VPC. It however doesn't imply that it's being used. You'll need to check the subnet route tables for that.

AWS
답변함 일 년 전
0

Hello,

We dont have direct options to check the VPC associated with AWS Network Firewall. We will be able to see it from VPC route table whether they have routes to Network Firewall endpoint to inspect the traffic. However, If you have multiple VPCs that are connected via Transit Gateway and you have one AWS Network Firewall as centralized Egress inspection, you will not see all VPC route tables pointing to AWS Network Firewall Endpoints.

Other Options:- Assumptions:- All VPCs are connected via AWS Transit Gateway and Centralized Egress inspection.

  1. you can check all VPC's route table has default route (0.0.0.0/0-- TGW )
  2. on the Transit gateway route table, ensure default route 0.0.0.0/0 points to Inspection VPC TGW attachment (Inspection VPC --where you host AWS Network Firewall)
  3. In the Inspection VPC's route table, where you have TGW ENI, check for default route 0.0.0.0/0 points to AWS Network Firewall Endpoint.

Please refer this blog

AWS
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠