Lab
A Cloud Guru

Implementing AWS Network Firewall

In this lab, we will be deploying AWS Network Firewall to a VPC and then configuring the environment to allow an EC2 instance access to a web page on the internet. To complete this lab, you must be familiar with the AWS Management Console and understand what the AWS Network Firewall is and the capabilities it has to offer.

Try for free Contact sales

Path Info

Level

Intermediate

Duration

1h 0m

Published

May 19, 2023

Challenge

Create Firewall Subnet in VPC
In this objective, we will create a new subnet for the Network Firewall and associate it with the firewall route table created as part of this lab.

Subnet Creation
```
VPCID = FirstVPC
Subnet name = FirewallSubnet
Availability Zone = us-east-1a
IPv4 CIDR block = 10.0.0.0/28
```
Associate with the Route Table

Route table ID = FirewallSubnetRouteTable
Challenge

Reconfigure Route Tables to Permit Sending Traffic Destined for the Internet to the Network Firewall
In this objective, we will configure the private subnet route table to send all non-VPC traffic to the firewall.

Edit = FirstVPCRTPrivate

Add Default Route Information
```
Destination = 0.0.0.0/0
Target = Gateway Load balancer - choose the VPC endpoint, this will be your firewall endpoint.
```
Next, we need to associate the InternetRouteTable with the Internet Gateway.

Under Edge associations:
```
Edit = add IGW called FirstIGW
```
Add Route to InternetRouteTable
```
Destination = 10.0.1.0/24
Target = Gateway Load balancer - choose the VPC endpoint, this will be your firewall endpoint.
```
Challenge

Test Access from EC2 Instance

In this objective, you will test internet connectivity to an allowed and denied website.

Log into the EC2 instance using the credentials provided in the lab.

Issue the following command:

curl acloudguru.com

Challenge

Create Network Firewall Rule Group

In this objective, we will create the firewall rule groups.

Network firewall rule groups

Rule group type = Stateful rule group
Name = WebsiteWhiteList
Capacity = 10
Stateful rule group options = Domain list
Rule order = Default
Domain name source = .acloudguru.com
Source IPs type = Default
Protocols = HTTP and HTTPs
Action = Allow

Challenge

Create Firewall Policy
In this objective, we will be creating the firewall policy, which will be linked to the firewall rule groups created in the previous objective.

Firewall Policies
```
Name = TestFirewall-{6randomnumbers}-Policy
Stream exception policy = Drop
```
Stateless Default Actions
```
Choose how to tream fragmented packets = Use the same actions for all packets
Action = Forward to stateful rule groups
```
Stateful Rule Evaluation Order and Default Actions

Rule order = Default

Stateful Rule Group

Add = WebsiteWhiteList
Challenge

Create Network Firewall
In this objective, we get to create the network firewall and link to the firewall policy created previously.

Firewalls
```
Name = TestNWFW-{6randomnumbers}           Use the same numbers as you used for the policy for consistency
VPC = FirstVPC
```
Firewall Subnets
```
Availability Zone - us-east-1a
Subnet = FirewallSubnet
IP address type = IPv4
```
Associated Firewall Policy

Associate an existing firewall policy = Choose policy you created above

Author

A Cloud Guru

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.