Lab 2 - Egress Web Filtering

This lab assumes you have deployed AWS Network Firewall using Distributed Deployment Model Setup. Same steps are applicable for Centralized Deployment Model. Resource names may vary depending on the CloudFormation stack name you provided.

In this lab, we’ll use AWS Network Firewall to filter outbound web traffic using resources previously provisioned as part of 2.1.1 Setup.

Step 1 - List Firewalls & Rule Groups

  • In this step, we will verify the rule group: domain-allow-anfw-distributed-demo.

AWS Network Firewall is listed under VPC in the AWS Console:


  • Click on aws-network-firewall-anfw-distributed-demo firewall to see more details.


  • Click on domain-allow-anfw-distributed-demo firewall rule group to see more details.


  • You can observe that the Stateful rule group domain-allow-anfw-demo will allow traffic matching domain * You can add further domains here for testing purposes or leave it as default.

Step 2 - List & Verify EC2 Instances

  • CloudFormation stack for Distributed Deployment Model Setup creates EC2 instances test-instance-* in Private Subnet in each AZ. In this step, we will verify EC2 instance details.

  • EC2 instances are listed under EC2 in the AWS Web console. Launch Amazon EC2 console in the region where you have created your Distributed Deployment Model Setup and verify EC2 instance is listed and running.

  • Amazon EC2 console in Oregon




  • Connect to EC2 instance:

    • Select one of the instance: test-instance-1-anfw-distributed-demo or test-instance-2-anfw-distributed-demo (instance name may vary depending on the CloudFormation stack name you provided) and cick on connect:


  • Select Session Manager and click on Connect:


  • Now we are ready to test the firewall policy.

Step 3 - Verify Domain Filtering

  • On the EC2 instance, run the command below:
curl --max-time 5
  • You will observe the output for the curl command. Notice that the curl command is completed successfuly.


  • Let’s test again with another domain which isn’t permitted by default. On the EC2 instance, Run the below command:
curl -vvv -o /dev/null --max-time 5
  • Notice that the curl command times out eventually without any data returning.


Step 4 - Update Domain Rule Group

  • On AWS Network Firewall console, under Network Firewall rule groups, Select domain-allow-anfw-distributed-demo rule group.


  • Click on Add domains and add



  • Now we have 2 domains that are allowed in this Rule Group.


Step 5 – Verify updated domain success

  • Run the below command again on the EC2 instance:
curl -vvv -o /dev/null --max-time 5
  • Notice that the curl command completes successfuly now that we have permitted the domain in Rule Group.


Step 6 - Verify Alert Logs captured in CloudWatch

It may take few minutes before the logs show up in CloudWatch. The timing of Network Firewall log delivery varies by location type, averaging 3-6 minutes for Amazon CloudWatch Logs and Amazon Kinesis Data Firehose and 8-12 minutes for Amazon Simple Storage Service buckets. In some cases, logs may take longer than these averages. When log entries are delayed, Network Firewall saves them and then logs them according to the date and time of the period in which the requests occurred, not the date and time when the logs are delivered.

  • AWS Log groups are listed under CloudWatch in the AWS Web console:


  • Click on Log groups under CloudWatch


  • Click on Log group /anfw-distributed-demo/anfw/alert


  • Select the latest Log Streams /aws/network-firewall/alert/aws-network-firewall-anfw-distributed-demo_*


  • You will observe alerts being captured with all details under the log group. A sample screenshot of alert is below:


Optional - ICMP Alerts

  • As you may have noticed, we have also provisioned another Rule Group: icmp-alert-anfw-*. This allows all ICMP traffic to pass through but logs the traffic in logs.


  • To test this Rule Group, on your EC2 instance, execute following command:
ping -c 5


  • Follow the instructions provided under Step 6 to view the logs. A sample log screen shot is as follows: