Logo
  1. Home
  2. Blog
  3. Cloud Security
  4. AWS Network Firewall Best Practices You Should Follow

Last updated June 17th, 2024 by Tim Shea

At Tufin, we know how important it is to protect your networks and data from cybersecurity threats, which is why Tufin’s approach to security automation and orchestration is so comprehensive. Yet we know that there are many elements of your network security, including tools from partners like Amazon Web Services (AWS). One key security tool from AWS is AWS Network Firewall, which AWS introduced in 2020.

In this post, we will explore the best practices you should follow when deploying AWS Network Firewall, common pitfalls to avoid, and how Tufin can help enhance AWS network firewall management and security. 

What is AWS Network Firewall?

AWS Network Firewall is a stateful, managed, network firewall and intrusion prevention service that lets you define the rules that deliver granular control over your network traffic. It works in tandem with AWS Firewall Manager to create policies using AWS Network Firewall rules and then centrally applies those policies across your virtual private clouds (VPCs) and accounts.

The service lets you automatically scale your network firewall to protect your managed infrastructure, and also allows you to centrally manage security policies and automatically enforce mandatory policies on new accounts.

The Benefits and Challenges of Implementing AWS Network Firewall Best Practices   

Before configuring and using AWS Network Firewall, it is important to explore its capabilities and learn what and what not to do.  
 
There are three key architecture patterns you should consider when deploying the service: 

  • Distributed deployment model: AWS Network Firewall is deployed into each individual VPC. 

  • Centralized deployment model: AWS Network Firewall is deployed into a centralized VPC attached to an instance of AWS Transit Gateway for east-west (VPC-to-VPC) or north-south (inbound and outbound from internet, on-premises) traffic.  

  • Combined deployment model: In this model, AWS Network Firewall is deployed into a centralized inspection VPC for east-west (VPC-to-VPC) and a subset of north-south (on-premises, egress) traffic. With this model, internet ingress is distributed to VPCs that require dedicated inbound access from the internet, and AWS Network Firewall is deployed accordingly.

There are several pitfalls you should steer clear of when setting up AWS Network Firewall: 

  • Use only symmetric routing: AWS Network Firewall does not support asymmetric routing, meaning symmetric routing must be configured in your VPC. When you deploy AWS Network Firewall into a VPC, you must modify the route tables to ensure traffic is sent through firewall endpoints so that it can be inspected.  

  • Use only managed rules and do not use alert rules: Managed rule groups are collections of predefined, ready-to-use rules that AWS writes and maintains for you. Only managed rules should be used when deploying AWS Network Firewall endpoints to each VPC. Do not use alert rules, which are stateful rules that generates an alert log when traffic matches the rule and the rule’s action is set to “alert.”

AWS Network Firewall Best Practices 

In addition to the points already mentioned, follow these steps to ensure a successful setup and operation of AWS Network Firewall: 

  1. Configure the VPC subnets for your firewall endpoints: In your VPC, in each Availability Zone where you want to deploy a firewall endpoint, create a subnet specifically for use by the service.  

  1. Create the firewall: Create a firewall and give it the specifications for each of your firewall subnets. The service creates a firewall endpoint in each subnet you specify and is available to monitor and protect the resources for the subnets whose traffic you send through it. 

  1. Configure the firewall policy: Define the policy for your firewall by specifying its rule groups and other behavior that you want the firewall to provide. 

Why is Automation and Orchestration Important in Security Architecture?

Tufin solutions complement any third-party firewall tools in your network by providing centralized and comprehensive visibility, policy orchestration, and compliance automation across hybrid and multi-cloud environments.

Integrating with Tufin allows you to gain visibility into your cloud security posture, establish security guardrails and achieve continuous compliance, all without compromising the business benefits of cloud computing. 

While Tufin does not have direct integration with AWS Network Firewall, we do integrate with dozens of technology partners. To learn more about how Tufin can help automate and orchestrate your security, sign up for a live demo.

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Ready to Learn More

Get a Demo

In this post:

Background Image