Secure Your VPC with Private and Public Workloads Using Network Firewalls

Secure Your VPC with Private and Public Workloads Using Network Firewalls

Clock Icon2023.04.27

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

Introduction

Virtual Private Clouds (VPCs) have become a popular solution for hosting applications and workloads in the cloud computing environment. However, as the use of cloud services has grown, the necessity to secure these VPCs has become more vital. Using network firewalls is one approach to accomplish this.

Protected VPC with Private Workload

The best practice for safeguarding VPCs with private workloads is use a network firewall to filter traffic based on specified rules. You can ensure that only authorised traffic may reach your private workloads this way.

For example, let's say you have a VPC with several private subnets where you're running a database server. You can create a rule on your network firewall to allow traffic only from specific IP addresses or subnets. This will ensure that only authorized traffic is allowed to reach your database server.

Protected VPC with Public Workload

When it comes to protecting VPCs with public workloads, network firewalls can help in several ways. First, they can be used to filter incoming traffic based on specific rules to ensure only authorized traffic is allowed to reach your public workloads.

Second, network firewalls can be used to monitor outbound traffic from your public workloads to ensure that they're not sending any sensitive information outside of your VPC.

For example, Assume you have a VPC with a web server that is publicly accessible via the internet. You can use your network firewall to define a rule that only allows traffic on specified ports, such as port 80 for HTTP traffic. You can also monitor outbound traffic to ensure that your web server is not transferring sensitive data outside of your VPC.

I tried

Step1: Deploy this CloudFormation Template which will create Virtual Private Cloud (VPC) , Firewall Subnet , Protected Web Server Subnet , Internet Gateway (IGW)

Step2: Create a firewall

Log in to the AWS Management Console and navigate to the AWS Network Firewall service.

VPC > Network Firewall > Firewall

Choose the VPC and subnet where you want to create the firewall resource.

Associate a empty Firewall policy we will add Policy settings later:

Click Create Firewall

After creation wait for the status to change

From this:

To this:(It will Take some time you can do other settings till then)

Step3: Create Route Table We will create 3 Route Table

Navigate to "Route Table" under

1.IGW-Ingress-Route-Table

Select Edit Route

Click Add Route which will open a row add a destination and Target in it

To get the Target you need to select the gateway Load balancer Endpoint

Now associate it with Internet Gateway Open Edge association

Check the Internet Gateway checkbox

2.Firewall-Route-Table

Create firewall route table similar to Step1 and do subnet Association instead of edge association

Add route as follows

Associate it with firewall Subnet

3.Protected-WebServer-Route-Table

Create firewall route table similar to Step1 and do subnet Association

Route to internet via gateway load balancer which wass created by firewall

similarly as firewall route table associate this route table with appropriate subnet

connect to ec2 using system manager add install a web server (nginix or apache) to install nginix you can use copy bellow code

sudo amazon-linux-extras install nginx1 -y

sudo systemctl enable nginx

sudo systemctl start nginx

Step4: Setup Firewall logging

Navigate to the "Logging" tab within the Network Firewall console.

Firewall details > Logging > Edit

Enable logging by selecting the "Alert&Flow" option.

Configure the logging settings, such as the log retention period while  Creating Log Group

Step 5: Configure Firewall policy

Navigate to the "Create stateful Rule group" tab within the Network Firewall console.

 

Create rules by selecting the "Create rule" option and defining the rule criteria, such as the source and destination IP addresses, protocols, and ports.

Create another Rule and defining the rule criteria, such as  Domain List

Allowing .Amazon.com

Step 6: Testing rules connect to your Ec2 instance using System manager and curl Domains Not Passed:

Passed:

Conclusion

Network firewalls are critical for safeguarding VPCs with both private and public workloads. You may secure your VPC against unauthorised access and data breaches by defining particular rules and monitoring inbound and outbound traffic. Consider employing a network firewall to assist secure your environment if you host workloads on a VPC. Additionally also consider pricing you can check from bellow link

https://aws.amazon.com/network-firewall/pricing/

Reference:

https://aws.amazon.com/vpc/

https://docs.aws.amazon.com/network-firewall/latest/developerguide/getting-started.html

Share this article

facebook logohatena logotwitter logo

© Classmethod, Inc. All rights reserved.