- Newest
- Most votes
- Most comments
Hi Daniel,
Thanks for sharing the diagram. My only observation would be the return route configured on the route-table where your IGW is associated with. I see you have set-up a route to 10.0.16.0/20 with target the NFW VPC-Endpoint (vpce-0267...). In this scenario, your return route should actually be towards the NAT-GW subnet, not the FW.. so the return-route should actually be to 10.0.0.0/20 (the NAT-GW subnet) with target the NFW VPC-Endpoint.
Also, my recommendation would actually be to move the AWS Network Firewall between your Private Subnet and the NAT Gateway as this will allow you to create rules based on the original IP addresses of your clients or instances. The way you have it set-up in your diagram means all traffic would be first NAT'ed and then sent to the NFW, which means all traffic would always show the NAT-GW IP as source from the NFW point of view.
You can use this diagram as reference for the design I'm suggesting (no need to set-up a separate route-table for the IGW, it can rely on default behaviour as traffic will always return to NAT-GW first):
Ref: Taken from https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall-with-vpc-routing-enhancements/ under "2) AWS Network Firewall deployed to protect traffic between a workload private subnet and NAT gateway"
If you can make the updates on your deployment first, and test it to see if there's any difference.
Let me know.
-CarlosGP@
Hi Daniel, Can you confirm if you're using Default or Strict ordering for the Stateful rule-group?
Are you using "Domain-list" or "Suricate-rules" rule-group?
Can you try creating a "Suricate-rules" rule-group and use the following syntax:
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".amazon.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".amazon.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:2; rev:1;)
drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; priority:1; flow:to_server, established; sid:99; rev:1;)
drop http $HOME_NET any -> $EXTERNAL_NET any (http.header_names; content:"|0d 0a|"; startswith; msg:"not matching any HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:100; rev:1;)
Replace ".amazon.com" with the domain you want to only allow, and if creating more rules, just make sure to update the "sid" value.
Let me know how it goes.
-CarlosGP@
Hi,
I've tried both "Domain-list" or "Suricate-rules" rule-groups?
Here is the rule set I was using
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".google.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1;) pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"github.com"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:2; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET any (http.header_names; content:"|0d 0a|"; startswith; msg:"not matching any HTTP allowlisted FQDNs"; priority:1; flow:to_server, established; sid:3; rev:1;)
When implemented I was still able to connect to unauthorized hosts
Hi Daniel, I understand you're using a test machine in it's own subnet, and that subnet route is 0.0.0.0/0 pointing at firewall vpc endpoint, can you confirm the routing configuration of the Firewall Subnet, and also if you have the return traffic also set up to route through the firewall vpc endpoint.
For the stateful rule-groups to work properly, you need to make both outgoing and return traffic are going through the same VPC endpoint (e.g. if you've deployed multi-az FW endpoints, make sure traffic flow is going through the same one).
Have you followed either of our Deployment models blogs?
- https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
- https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall-with-vpc-routing-enhancements/
If you can please provide further details, such as a diagram and full routing configuration, I can try and help you further.
-CarlosGP@
Hi Carlos,
When I originally posted I had a different config with IGW pointing to local and not FW endpoint.
I've since built a new topology and getting the same errors/issues except now nothing flows through. Attached is the new topology with routing info.
There is a machine in the private subnet, I need that machine too curl to specific endpoints on the internet. As previously mentioned I've tried Domain List, Stateless 80, Stateful 80. In this config I can't see to get anything out.
Relevant content
- asked 2 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thanks, will try that now. FYI, I based my design off this document
https://docs.aws.amazon.com/network-firewall/latest/developerguide/arch-igw-ngw.html
Hi Daniel, thanks for pointing out the link of the document you were using for your design. Although this was the original recommended approach when a NAT-GW was needed, now that VPC routing enhancements were released, it makes more sense to have the NFW before the NAT-GW, this way the NFW can see the original source IP address of the requester and create rules based on that as well.
Now if you'd want to keep your original design (which would still work fine as well), please take a look at the IGW route-table from the documentation, the route installed there is pointing to the NAT-GW subnet (10.0.2.0/24) with target the VPC-Endpoint.. this is the correct routing approach. In your case, you would just need to update your return route in your IGW route-table as it's pointing to wrong subnet (change it to 10.0.0.0/20 instead of 10.0.16.0/20). Let me know how it goes! -CarlosGP@