How can I implement firewall policies in AWS?
Learning Center | Answers | Egress Filtering
It is important to have your security posture defined in AWS before starting to architect and build out VPCs. This is important because the VPC layout will be defined by how you’d want to isolate business units, their applications, and the compute instances. Your internet ingress and egress strategy will also dictate your implementation.
If you have already built out a functional AWS environment, there are still ways to overlay security policies using different methods.
Finalizing your firewall implementation strategy can be approached by asking what are you protecting your VPC instances/containers against?
- Are you segmenting their traffic from other instances in the same VPC?
- Are you filtering traffic in and out of the VPCs (from your physical locations or other VPCs)?
- Are you protecting your instances against internet based threats?
In most cases it is combination of these security categories. Let’s look at how you could implement firewall policies for these use cases.
Segmenting traffic from other instances in the same VPC can be accomplished by using AWS’s native security groups. They are host-based rules that need to be managed per group of EC2 instances. There is no other easy way to inject a full firewall in between these instances. Since security groups are stateful, they are good enough for most implementations.
Filtering traffic in and out of the VPCs to other environments can also be handled using AWS native security groups. Although, at this scale, host level rules become extremely cumbersome.
You might want to look into complete firewalls available on AWS marketplace. But these firewalls tend to get very pricey due to licensing and the instance sizes required to run them. Aviatrix’s centrally managed gateways offer a low-cost alternative for IP based segmentations.
Finally, if you are trying to protect your instances from Internet based threats, what is the nature of the internet traffic? is this traffic initiated by the instances in the VPC to a pre-determined list of internet locations (like outbound API calls and patch downloads)? Or is it a mix of inbound and outbound requests to and from the internet?
If some of your VPCs only need outbound filtering, IP based security groups will not help. Even commercially available virtual firewalls (from the AWS marketplace) are an overkill for these instances. Aviatrix has built a lightweight fully qualified domain name (FQDN) filtering capability in its NAT gateways. This reduces the number of firewalls you need to manage.
Finally, if are looking to implement a firewall to protect against inbound requests or if you require deep packet inspection on the internet bound traffic, you will have to invest in firewall licenses for those use cases. Even here, you can keep your costs low by adopting a centralized firewall strategy were a group of VPCs egress thorough a central egress VPC hosting the firewall. This way, you are not implementing a firewall per VPC. The following diagram shows an architecture with this option:
Key points to note in this architecture are:
- Egress policy is managed through a central controller.
- Policy is enforced through distributed gateways.
- Gateways are deployed per VPC with cross AZ High Availability.
- Aviatrix gateways can filter egress traffic by FQDN (Eg.“allow *.ubuntu.com”)
- Aviatrix gateways can segment traffic based Layer 4 rules (stateful firewall feature).
- Aviatrix solution can service chain with other common virtualized firewalls for advanced protection.