AWS Network Firewall and WAF
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Lesson: Mastering AWS Network Firewall and AWS WAF
Introduction: The Architecture of Perimeter Defense
In the modern cloud landscape, securing your network traffic is not just a best practice; it is a fundamental requirement for operational continuity. As applications scale and move toward distributed architectures, the traditional "castle-and-moat" security model—where you simply place a firewall at the edge of your data center—is no longer sufficient. AWS provides two primary services to address this challenge: AWS Network Firewall and AWS WAF (Web Application Firewall). While both are designed to protect your infrastructure, they operate at different layers of the OSI model and serve distinct purposes in a comprehensive security strategy.
AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). It operates at the network layer (Layer 3 and Layer 4), filtering traffic based on IP addresses, ports, and protocols, while also providing deep packet inspection for Layer 7 traffic. Conversely, AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web applications. It operates at the application layer (Layer 7), focusing on protecting your web-facing resources from common exploits like SQL injection or cross-site scripting (XSS).
Understanding how these two services interact is vital for any engineer responsible for cloud network architecture. Misconfiguring these services can lead to either an overly permissive network that is vulnerable to attacks or an overly restrictive environment that breaks legitimate application functionality. This lesson explores the technical architecture, deployment patterns, and troubleshooting methodologies for both services, ensuring you have the knowledge to build a hardened network perimeter.
Understanding AWS Network Firewall
AWS Network Firewall is essentially a stateful, managed firewall service that sits within your VPC. It acts as a gateway for your traffic, allowing you to inspect, filter, and control traffic flows between your VPCs, the internet, and on-premises networks. Because it is a managed service, AWS handles the scaling, patching, and high availability, allowing you to focus on writing the actual firewall rules rather than managing the underlying hardware or software instances.
Key Components of Network Firewall
To effectively manage this service, you must understand its core architectural components:
- Firewall Policies: These are the primary containers for your rules. A policy defines the behavior of the firewall, including rule groups, stateful engine settings, and default actions for traffic that doesn't match a specific rule.
- Rule Groups: These are sets of rules that you can reuse across multiple firewall policies. They are divided into stateful and stateless rules.
- Stateless Rules: These rules evaluate packets in isolation. They are typically used to drop or allow traffic based on simple criteria like source/destination IP, port, and protocol.
- Stateful Rules: These rules track the state of network connections. They allow for more complex inspection, such as domain filtering (blocking access to specific URLs) or identifying patterns within the packet payload.
Callout: Stateless vs. Stateful Inspection Stateless inspection looks at each packet individually without considering the context of the connection. It is fast and efficient but limited in capability. Stateful inspection tracks the entire connection flow, allowing the firewall to understand if a packet is part of an established, legitimate communication channel, which is necessary for advanced threat detection and protocol validation.
Deployment Patterns
There are several ways to deploy AWS Network Firewall, but the most common is the "Centralized Inspection VPC" model. In this setup, you create a dedicated VPC for your security services. All traffic leaving or entering your application VPCs is routed through this inspection VPC using AWS Transit Gateway.
- Transit Gateway Route Tables: You configure your Transit Gateway to send traffic from your application VPCs to the inspection VPC.
- Gateway Load Balancer (GWLB) Endpoints: Inside your inspection VPC, you place the Network Firewall endpoints. These endpoints act as the "bump in the wire" that inspects the traffic.
- Return Path: Once the firewall inspects the traffic and deems it safe, the traffic continues its journey to its destination.
This model is favored by large organizations because it simplifies the management of firewall rules. Instead of managing firewall policies for twenty different VPCs, you manage one centralized policy in a single location, ensuring consistent security posture across the entire organization.
Deep Dive into AWS WAF
While Network Firewall protects the plumbing of your network, AWS WAF protects the application logic. AWS WAF sits directly in front of your web resources, such as Application Load Balancers (ALB), Amazon API Gateway, or AWS AppSync. It inspects incoming HTTP/HTTPS requests before they ever reach your application code.
How AWS WAF Works
When a request is sent to your application, it passes through the WAF before reaching the destination resource. The WAF evaluates the request against a set of rules defined in a Web Access Control List (Web ACL).
- Conditions: These define what the WAF should look for in a request. Examples include IP addresses, HTTP headers, query strings, or the body of the request.
- Rules: Rules combine conditions with actions. For instance, you could create a rule that says, "If the request body contains a known SQL injection pattern, block the request."
- Web ACL: This is the top-level container that holds your rules. You associate the Web ACL with your web application resources.
Managed Rule Groups
One of the most powerful features of AWS WAF is the use of Managed Rule Groups. Instead of writing custom rules to detect every possible vulnerability, you can subscribe to rule sets maintained by AWS or third-party vendors.
- Core Rule Set (CRS): Protects against common vulnerabilities like those listed in the OWASP Top 10.
- IP Reputation List: Blocks traffic from known malicious IP addresses, such as botnets or TOR exit nodes.
- Known Bad Inputs: Filters out requests that contain common attack patterns or malformed data.
Note: Using Managed Rule Groups significantly reduces the administrative burden of maintaining your WAF. AWS updates these rules automatically as new threats emerge, providing a dynamic defense that is far more effective than static, self-managed rule lists.
Troubleshooting Network Firewall and WAF
Troubleshooting these services requires a methodical approach, as the issue could lie within the network routing, the firewall rule configuration, or even the application layer itself.
Troubleshooting Network Firewall
If traffic is being dropped unexpectedly, follow these steps:
- Check Flow Logs: Enable VPC Flow Logs on your subnets. Look for
REJECTstatus codes. If you see rejects, note the source/destination IPs and ports to see which rule might be triggering the drop. - Verify Routing Tables: The most common cause of "firewall issues" is actually a routing issue. Ensure that the route tables in your application VPC are correctly directing traffic to the Transit Gateway or the Firewall endpoint.
- Inspect Rule Ordering: Network Firewall evaluates rules in a specific order (priority). If you have a broad "allow" rule placed above a specific "block" rule, the traffic will be allowed. Check your rule priorities in the Firewall Policy.
- Validate Stateful Engine Logs: AWS Network Firewall provides detailed logging for stateful rules. You can send these logs to CloudWatch Logs or an S3 bucket. Search these logs for specific packet drops to see exactly which rule identifier is responsible.
Troubleshooting AWS WAF
If your users are complaining about 403 Forbidden errors, it is likely that the WAF is blocking legitimate traffic.
- WAF Sampled Requests: Use the "Sampled Requests" feature in the AWS WAF console. This allows you to see the last few hundred requests that were blocked or allowed by a specific rule. This is the fastest way to identify a "false positive."
- Check CloudWatch Metrics: Look at the
BlockedRequestsmetric in CloudWatch. If you see a spike in blocked requests, correlate the timestamp with the time the issue started. - Use "Count" Mode: Before implementing a new rule, always deploy it in "Count" mode first. This allows the rule to monitor traffic and log matches without actually blocking anything. You can then review the logs to ensure the rule isn't affecting legitimate traffic before switching it to "Block" mode.
Warning: Never deploy a complex WAF rule directly into "Block" mode on a production environment. Always use the "Count" mode for at least 24 hours to observe its behavior under real-world traffic patterns.
Practical Code Examples
While you can manage these services via the console, infrastructure-as-code (IaC) is the industry standard for maintaining consistency. Below are examples using AWS CLI and Terraform concepts.
AWS CLI: Creating a WAF Rule
This command creates a simple IP set that you can then reference in a WAF rule to block specific malicious IPs.
aws wafv2 create-ip-set \
--name "MaliciousIPs" \
--scope REGIONAL \
--ip-address-version IPV4 \
--addresses "192.0.2.0/24" "203.0.113.0/24"
Terraform: Defining a Network Firewall Rule Group
Using Terraform allows you to version-control your security posture. This snippet defines a stateful rule group that blocks outbound traffic to a specific domain.
resource "aws_networkfirewall_rule_group" "domain_block" {
capacity = 100
name = "block-malicious-domains"
type = "STATEFUL"
rule_group {
rules_source {
rules_source_list {
generated_rules_type = "ALLOWLIST"
target_types = ["HTTP_HOST"]
targets = ["example-malicious-site.com"]
}
}
}
}
Explanation: The capacity parameter is critical in Network Firewall. It represents the complexity of the rule set. You must define this upfront, and it cannot be changed easily without recreating the resource. The rules_source_list simplifies domain filtering by handling the underlying TCP/TLS handshake details for you.
Best Practices and Industry Standards
To maintain a secure network, you must go beyond basic configuration. Follow these industry-proven strategies:
- Principle of Least Privilege: Your firewall rules should be as specific as possible. Instead of allowing all traffic on port 443 from
0.0.0.0/0, restrict the source to specific IP ranges or CIDR blocks if the application is internal. - Centralized Logging: All firewall and WAF logs should be aggregated into a centralized logging account. Use Amazon S3 for long-term storage and Amazon Athena to run SQL queries against these logs for forensic analysis.
- Automated Remediation: Use AWS Lambda to automatically update your WAF IP sets. If a service detects a brute-force attack from a specific IP, it can trigger a Lambda function to add that IP to the WAF block list automatically.
- Regular Audits: Conduct quarterly reviews of your WAF rules and Firewall policies. Over time, rules become obsolete or overly permissive; removing unused rules reduces the attack surface and improves performance.
- Monitor Performance: While security is paramount, excessive inspection can introduce latency. Monitor the latency of your ALB or Gateway Load Balancer to ensure that the firewall inspection is not negatively impacting the user experience.
| Feature | AWS Network Firewall | AWS WAF |
|---|---|---|
| OSI Layer | Layer 3 & 4 (Network/Transport) | Layer 7 (Application) |
| Primary Use | Filtering VPC traffic | Filtering Web requests |
| Inspection Type | Packet-level inspection | Request-body inspection |
| Deployment | Inside VPC (GWLB) | Attached to ALB/API Gateway |
| Best For | Perimeter security, compliance | Protecting web applications |
Common Pitfalls to Avoid
Many engineers fall into traps that lead to either security gaps or outages. Here are the most frequent mistakes:
- Ignoring Rule Order: In both WAF and Network Firewall, rules are processed in a specific order. If you place a "block all" rule at the top of your list, you will effectively shut down your entire application. Always review your rule order during deployment.
- Over-relying on Managed Rules: Managed rules are excellent, but they are not a silver bullet. They might not protect against application-specific vulnerabilities, such as a custom API endpoint that is susceptible to a unique injection attack. Always supplement managed rules with custom rules tailored to your application's architecture.
- Forgetting to update "Capacity": In Network Firewall, if your rule group exceeds its assigned capacity, the firewall will fail to update. Always monitor your capacity usage and ensure you have headroom for future rules.
- Testing in Production: Never test new firewall or WAF configurations directly in your production environment without a "Count" or "Log-only" phase. A single misconfigured rule can drop all traffic, leading to an immediate service outage.
- Lack of Documentation: Because firewall configurations can become highly complex, it is essential to document why certain rules exist. Include comments in your IaC code explaining the purpose of each rule group to prevent future engineers from accidentally deleting critical security controls.
Advanced Troubleshooting: The "Packet Trace" Approach
When standard logs don't reveal the issue, you may need to perform a packet trace. This involves capturing the actual packets as they pass through the firewall.
- VPC Traffic Mirroring: You can use VPC Traffic Mirroring to send a copy of the traffic from your network interface to a dedicated inspection instance (like a Linux server running Wireshark or
tcpdump). - Analyze the PCAP: By analyzing the captured packets, you can see exactly where the connection is being severed. Is it a TCP reset? Is it a timeout? Does the packet reach the firewall but never leave it?
- Cross-Reference: Compare the timestamp of the packet drop in your PCAP with the logs from the Network Firewall. This will often reveal a discrepancy between what you think the firewall is doing and what it is actually doing.
This level of troubleshooting is usually reserved for complex, intermittent issues where standard logging is insufficient. It requires a deep understanding of TCP/IP, so ensure your team has the necessary networking expertise before attempting this.
Key Takeaways for Network Security
As we conclude this lesson, remember that security is an ongoing process of refinement and observation. Use these takeaways to guide your strategy:
- Layered Defense: Never rely on a single security service. Use AWS Network Firewall for network-level protection and AWS WAF for application-level protection to create a deep, layered defense.
- Infrastructure as Code: Always define your firewall and WAF configurations in code (Terraform, CloudFormation, or CDK). This ensures that your security posture is reproducible, version-controlled, and auditable.
- The Power of "Count": Always use the "Count" or "Log-only" feature for new rules. It is the single most effective way to prevent self-inflicted outages.
- Centralized Management: For multi-account environments, centralize your firewall and WAF management. This ensures consistent policy application and simplifies the auditing process.
- Continuous Monitoring: Use CloudWatch and Athena to monitor your firewall and WAF logs continuously. Security is not a "set it and forget it" task; you must actively analyze the traffic patterns to identify new threats.
- Prioritize Performance: Keep an eye on the latency added by your inspection services. If latency increases, optimize your rule sets to ensure that security does not come at the expense of user experience.
- Documentation is Mandatory: Every rule should have a clear purpose and owner. If you cannot explain why a rule exists, it shouldn't be in your production configuration.
By mastering both AWS Network Firewall and AWS WAF, you gain the ability to protect your infrastructure from a wide range of threats, from simple network-level probes to sophisticated application-layer attacks. Keep your rules clean, your logs centralized, and your deployment processes automated, and you will be well on your way to maintaining a highly secure and resilient cloud environment.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons