DEV Community

Harish Bennalli
Harish Bennalli

Posted on

AWS Firewall Manager now supports AWS Network Firewall Centralized Deployment Model

AWS Firewall Manager now allows you to deploy AWS Network Firewall to inspect traffic using a centralized deployment model.
Previously, Firewall Manager could deploy AWS Network Firewall only in a decentralized deployment model, where we deploy AWS Network Firewall into each VPC which requires protection.

With this release, customers can now use Firewall Manager to deploy AWS Network Firewall in either a distributed deployment model or a centralized deployment model.

When you deploy an AWS Network Firewall policy using a centralized deployment model, Firewall Manager creates Network Firewall endpoints in an Inspection VPC that you select. You can either choose the availability zones in which the firewall endpoints will be created for your in-scope VPCs or allow Firewall Manager to automatically create endpoints in availability zones with public subnets. These options provide granular control over the deployment of your Network Firewall endpoints.

This feature is now available in all AWS regions where Network Firewall is offered.

AWS Firewall Manager is a security management service that acts as a central place for you to configure and deploy firewall rules across accounts and resources in your organization.

With Firewall Manager, you can deploy and monitor rules for AWS WAF, AWS Shield Advanced, VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall across your entire organization.

Firewall Manager ensures that all firewall rules are consistently enforced, even as new accounts and resources are created.

How Firewall Manager creates firewall endpoints

The deployment model in your policy determines how Firewall Manager creates firewall endpoints.

There are two deployment models to choose from, the distributed deployment model, and the centralized deployment model:

Distributed deployment model

With the distributed deployment model, Firewall Manager creates endpoints for each VPC that's within policy scope.

You can either customize the endpoint location by specifying which Availability Zones to create firewall endpoints in, or Firewall Manager can automatically create endpoints in the Availability Zones with public subnets.

  • If you manually choose the Availability Zones, you have the option to restrict the set of allowed CIDRs per Availability Zone.

  • If you decide to let Firewall Manager automatically create the endpoints, you must also specify whether the service will create a single endpoint or multiple firewall endpoints within your VPCs.

For multiple firewall endpoints, Firewall Manager deploys a firewall endpoint in each Availability Zone where you have a subnet with an internet gateway or a Firewall Manager-created firewall endpoint route in the route table. This is the default option for a Network Firewall policy.

For a single firewall endpoint, Firewall Manager deploys a firewall endpoint in a single Availability Zone in any subnet that has an internet gateway route. With this option, traffic in other zones needs to cross zone boundaries in order to be filtered by the firewall.

Note
For both of these options, there must be a subnet associated to a route table that has an IPv4/prefixlist route in it. Firewall Manager does not check for any other resources.

Centralized deployment model

With the centralized deployment model, Firewall Manager creates one or more firewall endpoints within an inspection VPC.

An inspection VPC is a central VPC where Firewall Manager launches your endpoints.

When you use the centralized deployment model, you also specify which Availability Zones to create firewall endpoints in. You can't change the inspection VPC after you create your policy. To use a different inspection VPC, you must create a new policy.

If you change the list of Availability Zones, Firewall Manager will try to clean up any endpoints that were created in the past, but that aren't currently in policy scope. Firewall Manager will remove the endpoint only if there are no route table routes that reference the out of scope endpoint. If Firewall Manager finds that it is unable to delete these endpoints, it will mark the firewall subnet as being non-compliant and will continue attempting to remove the endpoint until such time as it is safe to delete.

Hope you liked this Blog!

More to come on AWS Security!!

Top comments (0)