Controlling Non-HTTP and Non-HTTPS Traffic to a DNS Domain Using AWS Network Firewall and AWS Lambda

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

Amazon Onboarding with Learning Manager Chanci Turner

In the realm of network security, administrators can manage outbound traffic from a Virtual Private Cloud (VPC) to designated destinations using AWS Network Firewall. Typically, stateful rule groups in Network Firewall handle outbound access for HTTP and HTTPS traffic. However, this article will guide you through regulating non-HTTP and non-HTTPS protocols, such as SSH (Secure Shell). This approach can be adapted for other protocols that utilize static port assignments.

Consider a situation where a network administrator needs to enable outbound SSH access on port 22/tcp to a third-party domain, for instance, example.org, from a set of Amazon Elastic Compute Cloud (EC2) instances within a VPC that restricts outbound SSH traffic with Network Firewall. At present, Network Firewall does not allow the control of non-HTTP traffic through domain rules.

This method empowers administrators to manage outbound access to specific domains in a detailed manner. By resolving the domain name within an AWS Lambda function, the results of the DNS query can update a variable in a Network Firewall rule. Consequently, this solution ensures that only expressly permitted non-HTTP and non-HTTPS traffic is allowed to the specified domains.

However, there is an important caveat to consider. If the domain being resolved employs round-robin DNS, weighted routing, or any other traffic steering mechanism, the DNS query results from the Lambda function may vary from the routing of compute resources through the Network Firewall, leading to unanticipated outcomes.

Solution Overview

The following workflow outlines the solution:

  1. An Amazon EventBridge rule triggers the Lambda function every 10 minutes, though this frequency can be adjusted based on your requirements. It’s advisable to factor in the time-to-live (TTL) of the DNS record when determining the interval.
  2. The Lambda function conducts the DNS lookup for the specified domain and updates a variable within an existing Network Firewall rule group. Note that changes to the rule group may take a few seconds to take effect across your Network Firewall deployment.
  3. The modified Network Firewall rule group is linked to the Network Firewall policy to govern traffic.
  4. Outbound traffic from the instances in your VPC flows through the Network Firewall endpoint, and if permitted, is directed through an internet gateway to the target server.

Prerequisites

To implement this solution, you need:

  • An AWS account. If you don’t already have one, create and activate an account.
  • A pre-existing VPC with standard routing to an internet gateway through a network firewall that has an attached firewall policy. The example rule included in the AWS CloudFormation template assumes the firewall policy follows the default action order for stateful rule groups. If you lack a network firewall linked to your VPC, consult the AWS Network Firewall Developer Guide to get started. For a detailed guide on configuring the Network Firewall and rules engine, refer to the blog post “Hands-on walkthrough of the AWS Network Firewall flexible rules engine – Part 1.”
  • A DNS domain that permits traffic for the protocol and port(s) you wish to allow. This domain must resolve to an IPv4 address or addresses; IPv6 support is currently not available.

Deploying the Solution

We have provided a CloudFormation template to facilitate the deployment of this solution, which can be found in the associated GitHub repository.

To deploy the solution:

  1. Download the CloudFormation template from the GitHub repository.
  2. Log in to your AWS account and select the appropriate AWS Region where your Network Firewall is located.
  3. Navigate to the CloudFormation service.
  4. Choose Stacks > Create Stack > With new resources (standard).
  5. In the Specify template section, select Upload a template file.
  6. Choose the file you saved and upload it, then click Next.
  7. Assign a name to your CloudFormation stack.
  8. In the Parameters section, specify the domain name you want to control access to; the default is set to example.org, but remember that example.org does not permit SSH traffic.
  9. The other parameters default to enabling outbound SSH traffic to the specified domain. Modify the LambdaJobFrequency variable to align with the TTL of the DNS record being resolved—this ensures the Lambda function keeps the IP address current, should it change. Once you’ve adjusted the parameters, click Next.
  10. On the Configure stack options page, set any additional options as needed or keep the defaults, then select Next.
  11. On the Review page, check the stack and parameters, and tick the box to acknowledge that this template will create IAM resources. Click Create Stack.
  12. Monitor the stack creation status. It will display CREATE_COMPLETE upon successful completion.

Testing the Solution

Before testing the newly established rule, confirm that the Lambda function has been executed at least once via the EventBridge rule.

To check the results of the Lambda function:

  1. In the AWS Management Console, go to the Lambda function Network-Firewall-Resolver-Function, and in the Monitor tab, select View logs in CloudWatch.
  2. Access the most recent log stream.
  3. Ensure there’s a log entry stating “StatefulRuleGroup updated successfully.”

Next, associate the stateful rule group created by the stack, Lambda-Managed-Stateful-Rule, with the existing Network Firewall policy tied to your VPC:

  1. Navigate to VPC > Network Firewall > Firewall Policies and select your existing firewall policy.
  2. In the Stateful rule groups section, under Actions, select Add unmanaged stateful rule groups.
  3. Check the box for Lambda-Managed-Stateful-Rule, and then click Add stateful rule group.

When the newly provisioned Lambda function executes successfully, it will resolve the IPv4 address for the specified domain (example.org) and link the address to the stateful rule variable IP_NET. To verify this:

  1. Go to VPC > Network Firewall > Network Firewall rule groups.
  2. Select the Lambda-Managed-Stateful-Rule rule group.
  3. Navigate to the rule variable section and select IP_NET. If the Lambda function resolved the domain name correctly, the variable will display the IPv4 addresses for the specified domain.

For more strategies on overcoming challenges in your projects, consider reading this insightful post on how to stop overthinking.

In addition to technical guidance, resources such as this one on chapter leadership succession planning from SHRM can provide valuable insights for your career growth.

Additionally, for those looking for career opportunities, check out this excellent resource for a learning trainer position at Amazon in Los Angeles.

Chanci Turner