In this lab, we will be deploying AWS Network Firewall to a VPC and then configuring the environment to allow an EC2 instance access to a web page on the internet. To complete this lab, you must be familiar with the AWS Management Console and understand what the AWS Network Firewall is and the capabilities it has to offer.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create Firewall Subnet in VPC
In this objective, we will create a new subnet for the Network Firewall and associate it with the firewall route table created as part of this lab.
Subnet Creation
VPCID = FirstVPC Subnet name = FirewallSubnet Availability Zone = us-east-1a IPv4 CIDR block = 10.0.0.0/28Associate with the Route Table
Route table ID = FirewallSubnetRouteTable- Create Network Firewall Rule Group
In this objective, we will create the firewall rule groups.
Network firewall rule groups
Rule group type = Stateful rule group Name = WebsiteWhiteList Capacity = 10 Stateful rule group options = Domain list Rule order = Default Domain name source = .acloudguru.com Source IPs type = Default Protocols = HTTP and HTTPs Action = Allow- Create Firewall Policy
In this objective, we will be creating the firewall policy, which will be linked to the firewall rule groups created in the previous objective.
Firewall Policies
Name = TestFirewall-{6randomnumbers}-Policy Stream exception policy = DropStateless Default Actions
Choose how to tream fragmented packets = Use the same actions for all packets Action = Forward to stateful rule groupsStateful Rule Evaluation Order and Default Actions
Rule order = DefaultStateful Rule Group
Add = WebsiteWhiteList- Create Network Firewall
In this objective, we get to create the network firewall and link to the firewall policy created previously.
Firewalls
Name = TestNWFW-{6randomnumbers} Use the same numbers as you used for the policy for consistency VPC = FirstVPCFirewall Subnets
Availability Zone - us-east-1a Subnet = FirewallSubnet IP address type = IPv4Associated Firewall Policy
Associate an existing firewall policy = Choose policy you created above- Reconfigure Route Tables to Permit Sending Traffic Destined for the Internet to the Network Firewall
In this objective, we will configure the private subnet route table to send all non-VPC traffic to the firewall.
Edit = FirstVPCRTPrivateAdd Default Route Information
Destination = 0.0.0.0/0 Target = Gateway Load balancer - choose the VPC endpoint, this will be your firewall endpoint.Next, we need to associate the InternetRouteTable with the Internet Gateway.
Under
Edge associations:Edit = add IGW called FirstIGWAdd Route to InternetRouteTable
Destination = 10.0.1.0/24 Target = Gateway Load balancer - choose the VPC endpoint, this will be your firewall endpoint.- Test Access from EC2 Instance
In this objective, you will test internet connectivity to an allowed and denied website.
Log into the EC2 instance using the credentials provided in the lab.
Issue the following command:
curl acloudguru.com
