In this forum posting, we’ll demonstrate how to use managed to lists to make managing your AWS Network Firewall rules and policies across your Amazon Virtual Private Cloud( Amazon VPC ) in the same Amazon Region easier.

 <p>AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for your Amazon VPC. With Network Firewall, you can filter inbound and outbound traffic to or from internet gateways; <a href="https://aws.amazon.com/directconnect/" target="_blank" rel="noopener">AWS Direct Connect</a> gateways; <a href="https://aws.amazon.com/privatelink/" target="_blank" rel="noopener">AWS PrivateLink</a>, <a href="https://aws.amazon.com/vpn/site-to-site-vpn/" target="_blank" rel="noopener">AWS Site-to-Site VPN</a>, and <a href="https://aws.amazon.com/vpn/client-vpn/" target="_blank" rel="noopener">AWS Client VPN</a> gateways; NAT gateways; and even between other attached VPCs and subnets.</p> <p>You can use Network Firewall to help prevent your VPC from accessing unauthorized domains, to block IP addresses, and to perform deep packet inspection or protocol filtering. However, it can be time consuming to update your firewall’s rule groups to add, remove, or modify the list of IP addresses across multiple Network Firewall instances that can be deployed in <a href="https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/" target="_blank" rel="noopener">distributed, centralized, or combined deployment models</a>.</p> <p>With prefix lists, you can group one or more CIDR blocks into a single object. Therefore, you can group IP addresses that you frequently use in a prefix list, and reference this list in Network Firewall rule groups. With this approach, you don’t need to update individual firewall rules when scaling the network to add new IP addresses, and the Network Firewall rule groups that reference the prefix list are automatically updated.</p> <p>In this post, we will show you how to build an example configuration in your test environment that uses customer-managed prefix lists in a Network Firewall rule group. </p> <blockquote> <p><strong>Note</strong>: This configuration will incur costs as described at <a href="https://aws.amazon.com/network-firewall/pricing/" target="_blank" rel="noopener">AWS Network Firewall pricing</a>.</p> </blockquote> <h2>Prerequisites</h2> <p>For this walkthrough, make sure that you have the following prerequisites in place:</p> <h2>Solution overview</h2> <p>In this post, we will show you how to create a simple architecture in a VPC to create three different VPC prefix lists for private and public subnets and provide protection by restricting traffic flow to the firewall subnet. Then you will create a stateful Network Firewall rule group to include IP set references that are mapped to VPC prefix lists. Figure 1 illustrates the architecture of a protected VPC.</p> <div id="attachment_28802" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28802" src="https://infracom.com.sg/wp-content/uploads/2023/03/img1-1.png" alt="Figure 1: Simple architecture of a protected VPC" width="600" height="716" class="size-full wp-image-28802"> <p id="caption-attachment-28802" class="wp-caption-text">Figure 1: Simple architecture of a protected VPC</p> </div> <p>In this example, the following three subnets are in the protected VPC:</p> <ol> <li>Firewall subnet: 10.1.0.0/28<br>This subnet is dedicated for use by Network Firewall. The Network Firewall endpoint is deployed into a dedicated subnet of the VPC.</li> <li>Public subnet (protected subnet): 10.1.2.0/28<br>The resources are designed to be internet-facing, so this subnet needs to communicate with the internet gateway. The NAT gateway and load balancer are also hosted on this subnet.</li> <li>Private subnet (protected workload subnet): 10.1.3.0/28<br>This is the subnet where you host your private workload that doesn’t accept incoming traffic from the internet (in our example, this is the webservers). The private workload can send requests to the internet through the NAT gateway.</li> </ol> <h2>Deploy the CloudFormation template</h2> <p>The following <a href="https://aws.amazon.com/cloudformation/" target="_blank" rel="noopener">AWS CloudFormation</a> template deploys a network firewall and related resources in a distributed architecture across two Availability Zones. In production, AWS recommends that you use multiple Availability Zones to help ensure high availability and improve fault tolerance. To simplify the instructions, we will focus on a single Availability Zone for this blog post.</p> <h4>To deploy the CloudFormation template</h4> <ul> <li>Choose the following <strong>Launch Stack</strong> button. <p><a href="https://aws.amazon.com/blogs/security/simplify-management-of-network-firewall-rule-groups-with-vpc-managed-prefix-lists/URL%20for%20link%20goes%20here" rel="noopener noreferrer" target="_blank"><img loading="lazy" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2019/06/05/launch-stack-button.png" alt="Launch Stack" width="190" height="36" class="aligncenter size-full wp-image-10149"></a></p> <p>Launch the CloudFormation template in the Region of your choice. Make sure that the Region that you choose supports Network Firewall. Select the Availability Zone or Zones to be used for this deployment, and leave the rest of the options as default.</p> </li> </ul> <h2>Create the VPC prefix lists</h2> <p>In this section, we will show you how to define your requirements and implement them within Network Firewall to only enable Secure Shell (SSH) traffic from a trusted IP range (an authorized public subnet on the protected VPC) to the private subnet. We will also show you how to block Internet Control Message Protocol (ICMP) traffic from another IP range (with CIDR 10.0.1.0/24).</p> <p>You will create the following VPC prefix lists:</p> <ul> <li>Public-ip-list — includes the protected subnet: 10.1.2.0/28</li> <li>Private-deny-list — includes a CIDR block from the other VPC: 10.0.1.0/24</li> <li>Private-allow-list — includes the protected workload subnet: 10.1.3.0/28 </li> </ul> <h4>To create the VPC prefix lists</h4> <ol> <li>Open the <a href="https://console.aws.amazon.com/vpc/" target="_blank" rel="noopener">Amazon VPC console</a> and choose <strong>Managed prefix lists</strong>.</li> <li>Choose <strong>Create prefix list</strong>, and then do the following, as shown in Figure 2: <ul> <li>For <strong>Prefix list name</strong>, enter a name for the prefix list. In our example, the name is <span>Public-ip-list</span>.</li> <li>For <strong>Max entries</strong>, enter the maximum number of entries for the prefix list. In our example, this number is 10.</li> <li>For <strong>Address family</strong>, select the prefix list that supports IPv4 entries.<br><blockquote> <p><strong>Note</strong>: Network Firewall currently supports only references to IPv4 prefix lists.</p> </blockquote> </li> <li>For <strong>Prefix list entries</strong>, choose <strong>Add new entry</strong>, and then enter the CIDR block and a description for the entry. In our example, the CIDR block is <span>10.1.2.0/28</span>.</li> <li>Choose <strong>Create prefix list</strong>. <div id="attachment_28803" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28803" loading="lazy" src="https://infracom.com.sg/wp-content/uploads/2023/03/img2-2.png" alt="Figure 2: Example of managed prefix lists" width="691" height="778" class="size-full wp-image-28803"> <p id="caption-attachment-28803" class="wp-caption-text">Figure 2: Example of managed prefix lists</p> </div> </li> </ul> </li> <li>Repeat the preceding steps for the two remaining prefix lists: Private-deny-list and Private-allow-list.</li> </ol> <p>When you’ve finished creating the prefix lists, you can view them under <strong>Managed prefix lists</strong>, as shown in Figure 3.</p> <div id="attachment_28804" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28804" src="https://infracom.com.sg/wp-content/uploads/2023/03/img3-1-1024x206-1.png" alt="Figure 3: Example of VPC prefix lists" width="760" class="size-large wp-image-28804"> <p id="caption-attachment-28804" class="wp-caption-text">Figure 3: Example of VPC prefix lists</p> </div> <h2>Create a Network Firewall rule group</h2> <p>The next step is to create a Network Firewall rule group. A Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic. As part of this configuration, we will take advantage of customer-managed VPC prefix lists as a variable to simplify the management of the rules.</p> <h4>To create a Network Firewall rule group</h4> <ol> <li>In the <a href="https://console.aws.amazon.com/vpc/" target="_blank" rel="noopener">Amazon VPC console</a>, in the left navigation pane, choose <strong>Network Firewall rule groups</strong>.</li> <li>From the <strong>Rule groups</strong> tab, select <strong>Create Network Firewall rule group</strong>, and then do the following, as shown in Figure 4: <ul> <li>For <strong>Rule group type</strong>, select <strong>Stateful rule group</strong>.</li> <li>For <strong>Name</strong>, enter your network firewall rule group.</li> <li>For <strong>Capacity</strong>, enter 25 or another appropriate value.</li> <li>For <strong>Stateful rule group options</strong>, select <strong>5-tuple</strong>.</li> <li>Under <strong>Stateful rule order</strong>, select <strong>Default</strong>.</li> </ul> <div id="attachment_28805" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28805" src="https://infracom.com.sg/wp-content/uploads/2023/03/img4-1-1024x773-1.png" alt="Figure 4: Network Firewall rule group" width="680" class="size-large wp-image-28805"> <p id="caption-attachment-28805" class="wp-caption-text">Figure 4: Network Firewall rule group</p> </div> </li> <li>In the <strong>IP set references</strong> section, do the following, as shown in Figure 5: <ol> <li>For <strong>IP set preference variable name</strong>, enter new variable names for each of your VPC prefix lists.</li> <li>From the <strong>IP set resource ID</strong> dropdown, select an IP set.</li> </ol> <p>In this example, you are creating three IP set references that are mapped to the VPC prefix lists that you configured in the previous sections, as shown in the following table.</p> <table width="100%"> <tbody> <tr> <td width="40%"><strong>IP set references variable name</strong></td> <td width="40%"><strong>Mapped VPC prefix list name to IP set references</strong></td> <td width="20%"><strong>CIDR block</strong></td> </tr> <tr> <td width="40%">IP_list_Allow_ssh_subnets</td> <td width="40%">public-ip-list</td> <td width="20%">10.1.2.0/28</td> </tr> <tr> <td width="40%">IP_list_Private_Deny</td> <td width="40%">private-deny-list</td> <td width="20%">10.0.1.0/24</td> </tr> <tr> <td width="40%">IP_list_private_subnets</td> <td width="40%">private-allow-list</td> <td width="20%">10.1.3.0/28</td> </tr> </tbody> </table> <div id="attachment_28806" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28806" src="https://infracom.com.sg/wp-content/uploads/2023/03/img5-1.png" alt="Figure 5: Example of IP set references" width="680" class="size-full wp-image-28806"> <p id="caption-attachment-28806" class="wp-caption-text">Figure 5: Example of IP set references</p> </div> </li> <li>In the <strong>Add rule</strong> section, do the following, as shown in Figure 6: <ol> <li>Select the protocol.</li> <li>For <strong>Source</strong>, select <strong>Custom</strong> and then enter the IP set reference variable name for the source IP address with the following format: <span></span>. In our example, the name is <span>@IP_list_Allow_ssh_subnets</span>.</li> <li>For <strong>Source port</strong>, select <strong>Custom</strong> and enter the appropriate port number.</li> <li>For <strong>Destination</strong>, choose <strong>Custom</strong> and then enter the IP set reference variable name for the destination IP address with the following format: <span></span>. In our example, the name is <span>@IP_list_Private_subnets</span>.</li> <li>For <strong>Destination port</strong>, choose <strong>Custom </strong>and enter the appropriate port number.</li> <li>For <strong>Traffic direction</strong>, select <strong>Any</strong>.</li> <li>For <strong>Action</strong>, select <strong>Pass</strong>.</li> <li>Choose <strong>Add rule</strong>.</li> </ol> <div id="attachment_28807" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28807" src="https://infracom.com.sg/wp-content/uploads/2023/03/img6-1-1024x496-1.png" alt="Figure 6: Example of a Network Firewall rule group with custom IP set references" width="680" class="size-large wp-image-28807"> <p id="caption-attachment-28807" class="wp-caption-text">Figure 6: Example of a Network Firewall rule group with custom IP set references</p> </div> </li> <li>For the next set of rules, repeat the preceding steps and choose the appropriate protocol, source, destination, traffic direction, and action, as shown in the following table.<br><table width="100%"> <tbody> <tr> <td width="10%"><strong>Protocol</strong></td> <td width="25%"><strong>Source</strong></td> <td width="25%"><strong>Destination</strong></td> <td width="10%"><strong>Source port</strong></td> <td width="10%"><strong>Destination port</strong></td> <td width="10%"><strong>Direction</strong></td> <td width="10%"><strong>Action</strong></td> </tr> <tr> <td width="10%">SSH</td> <td width="25%">@IP_list_Allow_ssh_subnets</td> <td width="25%">@IP_list_private_subnets</td> <td width="10%">22</td> <td width="10%">22</td> <td width="10%">Forward</td> <td width="10%">Pass</td> </tr> <tr> <td width="10%">SSH</td> <td width="25%">Any</td> <td width="25%">@IP_list_private_subnets</td> <td width="10%">Any</td> <td width="10%">22</td> <td width="10%">Forward</td> <td width="10%">Drop</td> </tr> <tr> <td width="10%">ICMP</td> <td width="25%">@IP_list_Private_Deny</td> <td width="25%">Any</td> <td width="10%">Any</td> <td width="10%">Any</td> <td width="10%">Forward</td> <td width="10%">Drop</td> </tr> </tbody> </table> <p>After completion, you will have a set of stateful rules, as shown in Figure 7.</p> <div id="attachment_28808" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28808" src="https://infracom.com.sg/wp-content/uploads/2023/03/img7-1-1024x295-1.png" alt="Figure 7: Example list of Network Firewall rules" width="680" class="size-large wp-image-28808"> <p id="caption-attachment-28808" class="wp-caption-text">Figure 7: Example list of Network Firewall rules</p> </div> </li> </ol> <p>Congratulations! You have configured Network Firewall rule groups by using VPC prefix lists for a simplified management to allow SSH traffic only from authorized subnets and to deny ICMP traffic from unauthorized subnets.</p> <p>For the next steps, you can test your configuration by trying to use protocols such as SSH or ICMP from unauthorized subnets to your private subnets and reviewing the behavior. You can also test your configuration by doing the same from authorized subnets and comparing the results. Furthermore, you can create <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-monitoring.html" rel="noopener" target="_blank">logging and monitoring solutions</a> in Network Firewall to review the dropped or allowed packets from your Network Firewall log groups in CloudWatch Logs or use <a href="https://aws.amazon.com/blogs/mt/use-contributor-insights-to-analyze-aws-network-firewall/" rel="noopener" target="_blank">contributor insights</a> to analyze Network Firewall logs.</p> <h2>Clean up the resources</h2> <p>To clean up the resources that you created for this walkthrough, do the following:</p> <ol> <li><a href="https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithRouteTables.html#DisassociateSubnetRouteTable" target="_blank" rel="noopener">Remove all subnet associations from the route tables</a>.</li> <li><a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-deleting.html" target="_blank" rel="noopener">Delete Network Firewall policies</a>, <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-group-deleting.html" target="_blank" rel="noopener">rule groups</a>, and IP set preferences.</li> <li><a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-deleting.html" target="_blank" rel="noopener">Delete the network firewall.</a></li> <li><a href="https://docs.aws.amazon.com/vpc/latest/userguide/working-with-managed-prefix-lists.html#delete-managed-prefix-list" target="_blank" rel="noopener">Delete VPC prefix lists.</a></li> <li><a href="https://docs.aws.amazon.com/vpc/latest/userguide/working-with-subnets.html#subnet-deleting" target="_blank" rel="noopener">Delete your subnets</a>.</li> <li><a href="https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithRouteTables.html#DeleteRouteTable" target="_blank" rel="noopener">Delete the route tables.</a></li> <li><a href="https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#VPC_Deleting" target="_blank" rel="noopener">Delete the VPC.</a></li> <li><a href="https://catalog.workshops.aws/networkfirewall/en-US/cleanup" target="_blank" rel="noopener">Delete the CloudFormation stack</a> (if you created your environment through CloudFormation).</li> </ol> <h2>Conclusion</h2> <p>In this post, you learned how to use Amazon VPC managed prefix lists to simplify management of IP addresses within Network Firewall rule groups. IP set preferences that are mapped to your VPC prefix lists are a great tool to help simplify your firewall rules and reduce operational overhead and administration as you scale your network.</p> <p>For information about pricing, see <a href="https://aws.amazon.com/network-firewall/pricing/" target="_blank" rel="noopener">AWS Network Firewall pricing</a>. For more information about managed prefix lists, see <a href="https://docs.aws.amazon.com/vpc/latest/userguide/working-with-managed-prefix-lists.html" target="_blank" rel="noopener">Work with customer-managed prefix lists</a>. For more examples and use cases, see <a href="https://aws.amazon.com/blogs/security/category/security-identity-compliance/aws-network-firewall/" target="_blank" rel="noopener">previous Network Firewall posts</a> on the AWS Security Blog.</p> <p>If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the <a href="https://repost.aws/topics/TAEEfW2o7QS4SOLeZqACq9jA/security-identity-compliance" rel="noopener" target="_blank">AWS Security, Identity, &amp; Compliance re:Post</a> or <a href="https://console.aws.amazon.com/support/home" rel="noopener" target="_blank">contact AWS Support</a>.</p> <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> <!-- '"` -->