For the old school network engineers who are familiar with the on-prem data center structure and firewall solution, AWS network firewall is quite different. Firewall vendors like Cisco, Palo Alto or Fortigate, etc provide ample functions in their fw products, functions are not limited in traffic filtering, inspection and protection, but also include dynamic routing, policy based source routing, nat translation, ipsec tunnel termination etc. The later group of functions are not available in AWS network firewall as illustrated in the table below:
FIREWALL functions supported | AWS network firewall | Traditional Palo Alto, Cisco, Fortigate |
traffic filtering | yes | yes |
traffic inspection and protection | yes | yes |
Zone based policy | no | yes |
NAT translation | no | yes |
Dynamic routings | no | yes |
IPsec | no | yes |
The comparation above does not mean to show AWS network firewall is a limited product, AWS uses other items to realize those missing functions in the network firewall: ipsec is configured using customer GW or TGW, both of them support partially BGP dynamic routings. NAT translation is provided via AWS IGW and NGW. The comparation above is to show the difference that we have to take into consideration when we make architect design in cloud network. And those difference is very much shared by other public cloud networking solution beside AWS.
With such difference the recommended deployment models from AWS for network firewall solution are mostly one-arm design, that is all traffics ingress and egress share the same interface. Firewall two-arm design, which means all traffic coming in from one interface always go out via the other interface in the firewall, are supported as well but AWS suggest to consult them before you make that design. We have deployed 2-arm model in the environment and verified it is a working model but require some careful consideration in TGW and VPN rt tables.
Now let’s have a look at deployment models of network firewall recommended by AWS. AWS has recommended 3 deployment models: Distributed AWS network firewall deployment model; Centralized deployment model; and Combined AWS deployment model. The blog can be found here, which gives detailed description of traffic flow under each model. I will not repeat what is described in AWS’s recommendation but give my analysis about pros and cons of each suggested deployment model.
1, Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC
In the model each VPC is regarded as an independent data center which owns it is own firewall resource and detect ingress/egress traffic of the VPC itself, good point is that it makes design simple and clear to understand if your network only need very limited number of VPCs that need more advanced traffic inspections beside AWS already provided Security group, network acl and flow log. Once the network involves multi vpcs in multi regions, the cost will increase proportionally. According to AWS price a single network firewall endpoint is priced as $0.395/hr, one vpc availability zone need 1 network firewall endpoint attached. 1 years cost for network firewall in a single vpc with 2 availability zone will be 0.395 x 24 x 365 x 2 = 6920,4 USD. And this cost excludes traffic process costs, which is $0.065/GB in region Ireland. And for the Advanced inspection endpoint, the cost of 1 year excluding traffic process fee for the same VPC will reach 8567 USD.
In summary, for a complicated cloud network including multi vpcs in multi regions, distributed AWS network firewall deployment model is a solution with very high cost.
2, Centralized AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized VPC for East-West (VPC-to-VPC) and/or North-South (internet egress and ingress, on-premises) traffic
Centralized module allow firewall to be deployed in the inspection vpc. This model will greatly reduce the cost comparing with the above distributed model, and it works perfectly for East-West traffic (VPC-to-VPC) process. However when it comes to North-South traffic process I would say it somewhat problematic and I will explain as below: (AWS categorise AWS direct connect and Site to Site VPN as part of North-South traffic as well, but in my case I focus on North-South traffic only for internet traffic.)
Again, the detailed diagram can be found in the linked chapter: 4) North-South: Centralized Internet Ingress via Transit Gateway and NLB/ALB or reverse proxy
And I made an simplified one to highlight the part I am about to explain:
According to the diagram Internet traffic is coming via IGW in the centralized VPC and then rerouted to inspection VPC via AWS transit Gateway. Traffic flow seems work but where the nat translations happen? Everyone who is familiar with AWS knows NAT translation happens either in IGW or NGW, in this model, it surely happens in IGW of the centralized VPC, but does this IGW know all EIPs attached to every resources in different spoke VPCs ? So far I dont find any information that EIP map information within the vpc can be shared to another totally different VPC. If this can’t be realised the above solution for centralized internet ingress traffic is useless.
3, Combined AWS Network Firewall deployment model: In this model Internet ingress traffic is excluded or is processed in each local VPC. The other traffic is processed in the centralized way as showed in the second deployment module above.
So far this seems the most balanced solution when taking cost and required functions into total consideration. However model is yet a perfect one when it comes to internet egress traffic. The concern is explained as below:
I drawed the digram to explain the senario: 3 different spoke VPCs carrying difference service traffic that need to visit internet, and we want all those egress traffic get inspected before it goes out to internet, and we used centralized inspection vpc for those traffic and after traffic got inspected, it will be rerouted to a centralized egress VPC and get out via NGW there.
As we know that NAT translation is done in NGW, all traffic , no matter they are from spoke A or Spoke B or C will be source natted to the same pub ip in NGW. Is there any way to give Spoke A is source nat ip A, spoke B a source nat ip B, spoke C a source nat ip C? If NGW is deployed in each specifically spoke VPC then it is not a problem. But now we are using centralized egress VPC it becomes a problem.
Centralised solution for internet egress traffic inspections
So far I have analysed 3 different network firewall deployment models recommended by AWS. I hope this would be helpful when there is need for network security solution design for public cloud networking, or hybrid networking including both on-prem site and on cloud site.