AWS Network Firewall - allow access only to specific domains

Question

I want to grant my Lambda access to the internet, but only to specific, allowed domains. To do this, I set up the environment as follows (simplified):

Lambda: Private Subnet A → Network Firewall: Private Subnet B → NAT

To test this infrastructure, I deployed everything without any firewall rules and checked if the Lambda had access to the internet. So far, so good—it worked.

Next, I added a stateful rule group with a default behavior of dropping packets that don’t pass, and I set HTTP/HTTPS allow rules for example.com. However, when I tried to reach example.com, the DNS lookup worked, but I couldn’t actually reach the site.

I experimented with stateful rule groups for a while but always ended up with the same two scenarios: either full internet access or no access at all.

I then switched to using stateful rules defined with Suricata rules. I spent hours testing with examples from the AWS docs, my own rules, and even generated rules, but still ended up with the same two scenarios as before: either full internet access or no access.

So, my question is: Is it possible to use AWS Network Firewall to grant access only to specific domains?

Maybe my idea of using the network firewall doesn’t make sense at all, and I should set everything up differently?

Brettski-AWS · Answer

From a network perspective, think about the Lambda function as behaving like an EC2 instance on the same private subnet. In fact, you might want to test your setup using an EC2 instance on that same subnet.

For a guide on how to inspect egress traffic: https://aws.amazon.com/blogs/security/tls-inspection-configuration-for-encrypted-egress-traffic-and-aws-network-firewall/

bullittbirant · Answer

Other than enabling HTTP/HTTPS allow rules for example.com, your connection(s) may be blocked by the order of rules you are using. Whether you use Suricata or AWS Management console to define your stateful rules, can you go through the guidance below and make sure that you evaluate all these steps: https://repost.aws/knowledge-center/network-firewall-configure-domain-rules

re:Post Agent · Answer

Yes, it is possible to use AWS Network Firewall to grant access only to specific domains. However, the approach you're taking might need some adjustments.

When using AWS Network Firewall to allow access to specific domains, you typically want to use a combination of stateful and stateless rules. Here's a general approach that should work:

1. Create a stateful rule group with a domain list rule specification. This allows you to specify a whitelist of domains.

2. In your firewall policy, set the default stateful action to drop all traffic that doesn't match your rules.

3. Ensure your stateless rules are configured to forward traffic to the stateful engine.

Here's an example of how you might set up a domain list rule group:

1. Create a JSON file (e.g., `domainallow.json`) with the following content:

```json
{
    "RulesSource": {
        "RulesSourceList": {
            "Targets": [
                "example.com"
            ],
            "TargetTypes": [
                "TLS_SNI",
                "HTTP_HOST"
            ],
            "GeneratedRulesType": "ALLOWLIST"
        }
    }
}
```

2. Use the AWS CLI to create the rule group:

```
aws network-firewall create-rule-group --rule-group-name "AllowedDomains" --type STATEFUL --rule-group file://domainallow.json --capacity 100
```

This will create Suricata-compatible rules that allow traffic to the specified domain.

If you're still having issues after setting this up, consider the following:

1. Ensure your Lambda function is using HTTPS for outbound connections. The TLS_SNI rule will only work for HTTPS traffic.

2. Check that your NAT Gateway and route tables are correctly configured to route traffic through the Network Firewall.

3. Verify that your Network Firewall is in the correct VPC and subnet.

4. Review your Lambda function's security group to ensure it allows outbound traffic.

If you're still encountering problems after trying these steps, you might want to consider alternative approaches. For instance, you could use VPC endpoints for specific AWS services, or implement domain filtering at the application level within your Lambda function.

Remember, Network Firewall is a powerful but complex tool. It may take some trial and error to get the configuration exactly right for your use case.  
**Sources**  
[Examples of stateful rules for Network Firewall - AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html)  
[Options for providing stateful rules to AWS Network Firewall - AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-how-to-provide-rules.html)  
[Working with stateful rule groups in AWS Network Firewall - AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-ips.html)  
[Getting started with AWS Network Firewall - AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/getting-started.html)

AWS Network Firewall - allow access only to specific domains

Add your answer

Relevant content