Introduction
Virtual Private Clouds (VPCs) have become a popular solution for hosting applications and workloads in the cloud computing environment. However, as the use of cloud services has grown, the necessity to secure these VPCs has become more vital. Using network firewalls is one approach to accomplish this.
Protected VPC with Private Workload
The best practice for safeguarding VPCs with private workloads is use a network firewall to filter traffic based on specified rules. You can ensure that only authorised traffic may reach your private workloads this way.
For example, let's say you have a VPC with several private subnets where you're running a database server. You can create a rule on your network firewall to allow traffic only from specific IP addresses or subnets. This will ensure that only authorized traffic is allowed to reach your database server.
Protected VPC with Public Workload
When it comes to protecting VPCs with public workloads, network firewalls can help in several ways. First, they can be used to filter incoming traffic based on specific rules to ensure only authorized traffic is allowed to reach your public workloads.
Second, network firewalls can be used to monitor outbound traffic from your public workloads to ensure that they're not sending any sensitive information outside of your VPC.
For example, Assume you have a VPC with a web server that is publicly accessible via the internet. You can use your network firewall to define a rule that only allows traffic on specified ports, such as port 80 for HTTP traffic. You can also monitor outbound traffic to ensure that your web server is not transferring sensitive data outside of your VPC.
I tried
Step1: Deploy this CloudFormation Template which will create Virtual Private Cloud (VPC) , Firewall Subnet , Protected Web Server Subnet , Internet Gateway (IGW)
Step2: Create a firewall
Log in to the AWS Management Console and navigate to the AWS Network Firewall service.
VPC > Network Firewall > Firewall
Choose the VPC and subnet where you want to create the firewall resource.
Associate a empty Firewall policy we will add Policy settings later:
Click Create Firewall
After creation wait for the status to change
From this:
To this:(It will Take some time you can do other settings till then)
Step3: Create Route Table We will create 3 Route Table
Navigate to "Route Table" under
1.IGW-Ingress-Route-Table
Select Edit Route
Click Add Route which will open a row add a destination and Target in it
To get the Target you need to select the gateway Load balancer Endpoint
Now associate it with Internet Gateway Open Edge association
Check the Internet Gateway checkbox
2.Firewall-Route-Table
Create firewall route table similar to Step1 and do subnet Association instead of edge association
Add route as follows
Associate it with firewall Subnet
3.Protected-WebServer-Route-Table
Create firewall route table similar to Step1 and do subnet Association
Route to internet via gateway load balancer which wass created by firewall
similarly as firewall route table associate this route table with appropriate subnet
connect to ec2 using system manager add install a web server (nginix or apache) to install nginix you can use copy bellow code
sudo amazon-linux-extras install nginx1 -y
sudo systemctl enable nginx
sudo systemctl start nginx
Step4: Setup Firewall logging
Navigate to the "Logging" tab within the Network Firewall console.
Firewall details > Logging > Edit
Enable logging by selecting the "Alert&Flow" option.
Configure the logging settings, such as the log retention period while Creating Log Group
Step 5: Configure Firewall policy
Navigate to the "Create stateful Rule group" tab within the Network Firewall console.
Create rules by selecting the "Create rule" option and defining the rule criteria, such as the source and destination IP addresses, protocols, and ports.
Create another Rule and defining the rule criteria, such as Domain List
Allowing .Amazon.com
Step 6: Testing rules connect to your Ec2 instance using System manager and curl Domains Not Passed:
Passed:
Conclusion
Network firewalls are critical for safeguarding VPCs with both private and public workloads. You may secure your VPC against unauthorised access and data breaches by defining particular rules and monitoring inbound and outbound traffic. Consider employing a network firewall to assist secure your environment if you host workloads on a VPC. Additionally also consider pricing you can check from bellow link
https://aws.amazon.com/network-firewall/pricing/
Reference:
https://docs.aws.amazon.com/network-firewall/latest/developerguide/getting-started.html
4
