How to Create Network Firewall Rule on Amazon Web Services(AWS).

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). AWS Network Firewall also offers web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names.

An AWS Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic.Stateful – Defines criteria for examining a packet in the context of traffic flow and of other traffic that’s related to the packet. Network Firewall uses a Suricata rules engine to process all stateful rules.

 

  • Login to aws portal.
  • Click on Services.

 

Fig 1

 

  • Under Networking & Content Delivery select VPC.

Fig 2

 

  • Click on Network Firewall rule groups.

 

Fig. 3

 

  • Click on Create Network Firewall rule group.

 

Fig. 4

 

  • Network Firewall rule groups are either stateless or stateful.

Stateful rule group

  • Network Firewall uses a Suricata rules engine to process all stateful rules. You can write any of your stateful rules in Suricata compatible format.
  • Provide Stateful rule group name.
  • Provide capacity must be greater than or equal to 1 & less than 10000.

 

Fig. 5

 

  • Select stateful rule group options.Choose 5-tuple.
  • then add a rule.
  • Select protocol.
  • Provide Source & Destination IP address : Custom or Any.

 

Fig. 6

 

  • Provide Traffic direction.Inspect all traffic going forward,from the source to destination.
  • Select Action.

 

Fig. 7

 

  • Click on Add rule.
  • Click on create stateful rule group.

 

Fig. 8

 

  • After sometime stateful rule group is ready.

 

Fig 9

 

Stateless rule group

  • Stateless rule groups evaluate packets in isolation, while stateful rule groups evaluate them in the context of their traffic flow.
  • Provide stateless rule group name.
  • Provide capacity must be greater than or equal to 1 & less than 10000.

 

Fig 10

 

  • Set the priority.
  • Select Protocol.
  • Provide Source & Destination IP address : Custom or Any.

 

Fig 11

 

  • Select TCP Masks & Flags.
  • Select Actions.
  • Click on Add rule.

 

Fig 13

 

  • Click on Create stateless rule group.

 

Fig 15

 

  • After sometime stateless rule group is ready.

 

Fig 16

 

 

Create Network Firewall Rule group using Shell

create-rule-group –rule-group-name rule-group-name [–rule-group <value>] [–rules <value>] –type stateful or stateless –capacity <value>

 

 

Leave a Reply