AWS Network FW with NLB and return traffic from EC2 back to NLB private IP via FW?

Question

Hi,

Here's the scenario (talking about 1 AZ only for simplicity sake):

- VPC CIDR: 192.168.0.0/16
- Private subnet: 192.168.10.0/24)
- EC2 in Private subnet. IP: 192.168.10.130
- Default route in private subnet: AWS Network Firewall endpoint in the same AZ
- FW subnet: 192.168.20.0/28
- Default route in FW subnet: NATGW in public subnet in the same AZ
- Public subnet: 192.168.0.0/24
- Default route in public subnet: IGW
- Route in public subnet to route traffic for 192.168.10.0/24 back to FW VPC endpoint - to ensure symmetric routing through the FW
- NLB in public subnet for ingress flows. Client IP preservation is disabled in the Target Group so that the backend EC2 instance will see traffic coming to it from NLB's internal IP)
- NLB internal IP is 192.168.0.100

Client on the Internet connects to DNS end-point of the NLB on port 22 (using command "telnet  22")
Client gets connected successfully. Connection gets established. No issue here. Traffic hits the EC2 and I can see a TCP session established.

What I'm trying to understand:

When the connection from client (on the Internet) to backend EC2 is established, the EC2 of course has a path for the return traffic.

The EC2 sees a connection from NLB's private IP (192.168.0.100). Using the "local" entries in private subnet route-table, it should be able to forward the return traffic back to NLB directly, thus bypassing the Network FW. However, that breaks the symmetric routing. In actual, the traffic must go back from the EC2 to the NLB via FW. However, for traffic to the FW, only default route is used. But EC2 will use the "local" entry to reach the NLB Interface. If that's the case, is FW really being by-passed? If yes, how will this work in a state-full rule group in the FW (which looks at the flow in both directions).

Or does FW replaces the source IP with its own IP before it connects to the EC2 and hence EC2 can push the return traffic back to the FW before it reaches the NLB? Should I enable custom flow logs to check this scenario further?

Please let me know what do you think of this scenario and my understanding (is it correct or not?).

Thanks.

Answer

Hello,

Yes, you need to ensure traffic symmetry to avoid disruption by the firewall. The firewall must see both the initial request and the reply going through the same path.

Here's how you can achieve that:

1. **Create a Dedicated Subnet for the FW Endpoint:**
   - Ensure that this subnet is not allocated with any other services.

2. **Create Three Route Tables:**

**Route Table 1 (Attached to NLB Subnet):**
   - Set the default route to the firewall endpoint.

**Route Table 2 (Attached to FW Subnet):**
   - Set the default route to the Internet Gateway (IGW).

**Route Table 3 (Attached to IGW):**
   - Specify the subnet of the NLB with the next hop as the firewall endpoint.

By configuring these route tables in this manner, you ensure that traffic flows through the intended path:

- **For Incoming Traffic:**
  - Client >> Internet Gateway (IGW) >> Firewall >> NLB >> EC2

- **For Return Traffic:**
  - EC2 >> NLB >> Firewall >> IGW >> Client

This setup maintains the required symmetry for traffic, allowing the firewall to inspect and control both the inbound and outbound traffic flows.

Please implement and test this configuration in a controlled environment before deploying it in production. Let me know if you have any further questions or need additional assistance!![Diagram](/media/postImages/original/IMH3WhZIXQQBmGdlYSHMWVsw)

Answer

In that case, if the NLB has a EIP in the public subnet, how can I make the incoming traffic pass through the firewall?

Does the incoming traffic from the internet use a internet gateway to reach the EIP of the NLB?

1. internet --> EIP --> NLB
or 
2. internet --> IGW--> EIP --> NLB
?

Thank you

AWS Network FW with NLB and return traffic from EC2 back to NLB private IP via FW?

Relevant content