By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AWS Network Firewall & non-HTTP/HTTPS traffic to a DNS domain, following AWS Blogpost

0

Hi all, I'm in the process of configuring AWS Network Firewall in my environment and one of my initial challenges was connectivity to a SQL server database hosted in Azure. Connections to the remote database occur over port 1433, however my primary challenge was resolving a hostname to the underlying IP addresses. AWS Support provided me with the following blog and after some initial issues, I was able to successfully implement this for a singular domain.

https://aws.amazon.com/blogs/security/how-to-control-non-http-and-non-https-traffic-to-a-dns-domain-with-aws-network-firewall-and-aws-lambda/

https://github.com/aws-samples/controlling-access-to-domains-with-aws-network-firewall-and-aws-lambda/blob/main/nfw-dns-lookup-template.yml

Now, my question is, can the provided template by modified to accept multiple hostnames that I need to resolve? As it is, the CloudFormation template only allows me to plug in a single domain during creation. I need something more flexible that would allow me to edit a domain list, then update the IP Set with all of the queried domains.

Lambda Managed Stateful Rule

1 Answer
0

Yes, the AWS Network Firewall solution you're referring to can be modified to accept and resolve multiple hostnames. The current CloudFormation template is designed for a single domain, but it can be adapted to handle multiple domains with some modifications.

To achieve this, you would need to make several changes to the existing setup:

  1. Modify the Lambda function to accept a list of domains instead of a single domain. This could be done by changing the input parameter to an array or a comma-separated string of domains.

  2. Update the DNS lookup logic in the Lambda function to iterate through the list of domains, perform DNS lookups for each, and collect all the resolved IP addresses.

  3. Adjust the IP Set update process to include all the IP addresses resolved from multiple domains.

  4. Change the CloudFormation template to allow input of multiple domains, perhaps as a comma-separated parameter or as a list type parameter.

  5. Consider adding a DynamoDB table or a similar persistent storage to maintain the list of domains. This would allow you to easily update the domain list without modifying the CloudFormation stack.

  6. Implement a mechanism to trigger the Lambda function periodically or on-demand to refresh the IP Set with the latest resolved IP addresses for all domains in your list.

By making these modifications, you can create a more flexible solution that allows you to manage multiple domains and keep the Network Firewall rules updated with their corresponding IP addresses. This approach would enable you to easily add, remove, or modify domains in your list as needed, providing a more scalable solution for your environment.

Remember to test thoroughly after making these changes to ensure that the Network Firewall rules are correctly updated for all your specified domains.
Sources
Use Network Firewall to capture the DNS domain names from the Server Name Indication (SNI) for outbound traffic - AWS Prescriptive Guidance
Welcome - AWS Network Firewall
What is AWS Network Firewall? - AWS Network Firewall

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions