By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using AWS Fiewall with AWS NLB

0

Hi All,

I've a requirement to protect resources behind an internet exposed NLB[EIP attached] using AWS Firewall. My NLB is in a public subnet, instances in a private subnet, attached to the NLB using a target group.

I need to allow traffic coming from specific third party public IPs to my backend instances behind the NLB[which is public]. In this scenario, my firewall subnet first filter incoming traffic, then forward to my NLB and NLB distributes the load between the EC2 instances which are part of my target group.

My query is - will my approach work as I described above? Yet to touch console to implement this. Any references would be helpful.

Thanks in advance SVen

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Network FirewallNetworking & Content DeliveryNetwork Load Balancer
Language
English
SVen
asked 8 months ago1418 views
5 Answers
0
Accepted Answer

Yes, this it should work, see below blog. You can use IGW Ingress routing to insert AWS Network Firewall between IGW and NLB.

https://aws.amazon.com/blogs/networking-and-content-delivery/design-your-firewall-deployment-for-internet-ingress-traffic-flows/

profile pictureAWS
EXPERT
Tushar_J
answered 8 months ago
0

Seems the approach is to make sure to consider the following step. Virtual Private Cloud (VPC) set up with the necessary public and private subnets. Go to the AWS Firewall Manager console and create a new firewall. Define your firewall rules to allow traffic only from specific third-party public IPs. Configure the rule group associated with your firewall to allow traffic to your NLB's IP. Links for further help https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html

Waseem
answered 8 months ago
  • SVen
    8 months ago

    Thank you, this article really helped me a lot.

0

Thank you, let me try this on console tomorrow, will come back if I face any issues. Then I need to automate this. Have a great weekend.

SVen
answered 8 months ago
0

Consider also that NLB now supports security groups: https://aws.amazon.com/about-aws/whats-new/2023/08/network-load-balancer-supports-security-groups/

profile picture
EXPERT
Antonio_Lagrotteria
answered 8 months ago
0

Thanks for your suggestions.

this approached really worked - except one issue we are struggling to resolve. We placed an FTP solution[a linux VM placed in a private subnet, protected by an NLB in a public subnet attached with EIP, incoming traffic protected using AWS FW, NLB attached with an EIP, for business partners can connect from internet].

Here the issue is, secured FTP worked on port 22, but we need to access the FTP service on port 21 as well. 21 port on this Linux VM, accepting the connection, connection succeeds, but not able to retrieve the directories. There are two target groups created, one listening on 22 and another listening on 21 - both these ports are on the same single linux VM, successfully operating on 22, but 21 still failing.

Any pointers to resolve this would be of great help.

Thanks SVen

SVen
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content