Lab 2 - Egress Web Filtering

This lab assumes you have deployed AWS Network Firewall using Distributed Deployment Model Setup. Same steps are applicable for Centralized Deployment Model. Resource names may vary depending on the CloudFormation stack name you provided.

In this lab, we’ll use AWS Network Firewall to filter outbound web traffic using resources previously provisioned as part of 2.1.1 Setup.

Step 1 - List Firewalls & Rule Groups

  • In this step, we will verify the rule group: domain-allow-anfw-distributed-demo.

AWS Network Firewall is listed under VPC in the AWS Console:

lab2_step1_figure1

  • Click on aws-network-firewall-anfw-distributed-demo firewall to see more details.

lab2_step1_figure2

  • Click on domain-allow-anfw-distributed-demo firewall rule group to see more details.

lab2_step1_figure3

  • You can observe that the Stateful rule group domain-allow-anfw-demo will allow traffic matching domain .amazon.com and .amazonaws.com. You can add further domains here for testing purposes or leave it as default.

Step 2 - List & Verify EC2 Instances

  • CloudFormation stack for Distributed Deployment Model Setup creates EC2 instances test-instance-* in Private Subnet in each AZ. In this step, we will verify EC2 instance details.

  • EC2 instances are listed under EC2 in the AWS Web console. Launch Amazon EC2 console in the region where you have created your Distributed Deployment Model Setup and verify EC2 instance is listed and running.

  • Amazon EC2 console in Oregon

lab2_step2_figure1

lab2_step2_figure2

lab2_step2_figure3

  • Connect to EC2 instance:

    • Select one of the instance: test-instance-1-anfw-distributed-demo or test-instance-2-anfw-distributed-demo (instance name may vary depending on the CloudFormation stack name you provided) and cick on connect:

lab2_step2_figure4

  • Select Session Manager and click on Connect:

lab2_step2_figure5

  • Now we are ready to test the firewall policy.

Step 3 - Verify Domain Filtering

  • On the EC2 instance, run the command below:
curl https://aws.amazon.com --max-time 5
  • You will observe the output for the curl command. Notice that the curl command is completed successfuly.

lab2_step3_figure1

  • Let’s test again with another domain which isn’t permitted by default. On the EC2 instance, Run the below command:
curl -vvv https://google.com -o /dev/null --max-time 5
  • Notice that the curl command times out eventually without any data returning.

lab2_step3_figure2

Step 4 - Update Domain Rule Group

  • On AWS Network Firewall console, under Network Firewall rule groups, Select domain-allow-anfw-distributed-demo rule group.

lab2_step4_figure1

  • Click on Add domains and add .google.com.

lab2_step4_figure2

lab2_step4_figure3

  • Now we have 2 domains that are allowed in this Rule Group.

lab2_step4_figure4

Step 5 – Verify updated domain success

  • Run the below command again on the EC2 instance:
curl -vvv https://google.com -o /dev/null --max-time 5
  • Notice that the curl command completes successfuly now that we have permitted the domain in Rule Group.

lab2_step5_figure1

Step 6 - Verify Alert Logs captured in CloudWatch

  • AWS Log groups are listed under CloudWatch in the AWS Web console:

lab2_step6_figure1

  • Click on Log groups under CloudWatch

lab2_step6_figure1

  • Click on Log group /anfw-distributed-demo/anfw/alert

lab2_step6_figure3

  • Select the latest Log Streams /aws/network-firewall/alert/aws-network-firewall-anfw-distributed-demo_*

lab2_step6_figure4

  • You will observe alerts being captured with all details under the log group. A sample screenshot of alert is below:

lab2_step6_figure5

Optional - ICMP Alerts

  • As you may have noticed, we have also provisioned another Rule Group: icmp-alert-anfw-*. This allows all ICMP traffic to pass through but logs the traffic in logs.

lab2_optional_figure1

  • To test this Rule Group, on your EC2 instance, execute following command:
ping 1.1.1.1 -c 5

lab2_optional_figure2

  • Follow the instructions provided under Step 6 to view the logs. A sample log screen shot is as follows:

lab2_optional_figure3