Hey everyone! I'm diving into AWS Firewall for the first time, and I could really use some help. So far, I've worked with firewalls like Fortigate and Cisco, and even spent years with Azure Firewall, which was relatively straightforward. Azure has three clear rule categories: DNAT Rules, Network Rules (Layer 4), and Application Rules (Layer 7), processed in that order with priority-based rule handling.
But now with AWS, things feel a bit off. They have stateful rules that are meant to operate like network rules, along with domain lists analogous to application rules, but they're not a perfect match.
Here's where I got stuck:
1. In AWS, it seems like there's no implicit deny rule. I've allowed 443 traffic to two specific IPs, but I noticed that traffic from an IP not mentioned in the rules still went through. I had to create an explicit DenyAll rule. Is this expected?
2. After creating the DenyAll rule, I whitelisted .ubuntu.com, but while trying to install a package, I got an error. The package couldn't connect to eu-central-1.ec2.archive.ubuntu.com:80. Once I deleted the deny rule, the installation worked. Why didn't my .ubuntu.com rule allow this traffic?
Thanks so much for your help!
3 Answers
It sounds like you're in a tricky scenario! If you need to restrict internet access for a subnet but still allow Windows Update, you could implement specific FQDNs for those updates and block all other traffic. AWS Network Firewall can definitely help you with this by creating rules that match the specific FQDNs Microsoft provides for updates while preventing everything else. You’ll need to set up rules carefully to get it right.
Great points here! Additionally, AWS offers a few different firewall options depending on your requirements: there's AWS WAF (Layer 7), Network Firewall (Layer 4, with some app inspection), NACLs for subnet-level control, and Security Groups for resource-level security. Each has its own use cases. Check them out and see which fits best for what you’re trying to do!
So about your first question, yes, AWS Network Firewall is actually permissive by default. If a rule doesn’t match traffic and there’s no Deny rule, then that traffic is allowed. That’s just how AWS works, so adding the DenyAll was necessary to manage that.
As for your second question, the domain list you created only handles DNS resolution, not HTTP/S traffic. You need another rule that explicitly allows traffic to the resolved IP addresses. So when your deny all was in place, it blocked that traffic since the resolved IP wasn’t allowed.
Just to clarify, the domain list can allow traffic by evaluating the TLS SNI header (for HTTPS) and the HTTP Host header during the handshake. But it doesn’t intercept DNS lookups; those go to the VPC Resolver. It’s important to create separate IP allowing rules.
True, I recognize those options too. Although I’m familiar with them from other providers, I need to stick with AWS Network Firewall for this specific situation.