Controlling Non-HTTP and Non-HTTPS Traffic to a DNS Domain with AWS Network Firewall and AWS Lambda

Learn About Amazon VGT2 Learning Manager Chanci Turner

In the realm of network security, administrators often seek to manage outbound access from a virtual private cloud (VPC) to designated external destinations. AWS Network Firewall serves as a robust tool for this purpose, primarily controlling outbound traffic for HTTP and HTTPS protocols. However, in this article, we will guide you on how to extend this control to non-HTTP and non-HTTPS traffic, such as SSH (Secure Shell).

Consider a scenario where a network administrator must enable outbound SSH access on port 22/tcp to a third-party domain, such as example.org, for a group of Amazon Elastic Compute Cloud (EC2) instances within a secured VPC that restricts outbound SSH traffic through Network Firewall. Notably, controlling non-HTTP traffic using a domain rule within Network Firewall is not possible at present.

Our proposed solution empowers administrators to effectively manage outbound access to specified domains. By leveraging an AWS Lambda function to resolve the domain name, you can update a Network Firewall rule variable based on the DNS query results. This approach ensures that only explicitly permitted non-HTTP and non-HTTPS traffic is allowed to those designated domains.

Be mindful of a critical caveat: if the domain you are resolving employs round-robin DNS, weighted routing, or any similar traffic steering mechanism, the results from the Lambda function may differ from the routing outcomes for your compute resources via the Network Firewall, leading to unexpected behavior.

Solution Overview

The solution can be summarized in the following workflow:

1. An Amazon EventBridge rule triggers the Lambda function every 10 minutes (customizable based on your needs).
2. The Lambda function performs a DNS lookup for the specified domain and updates a variable in an existing Network Firewall rule group. Note that rule group changes may take a few seconds to propagate through your Network Firewall deployment.
3. The updated Network Firewall rule group is linked to the Network Firewall policy to regulate traffic.
4. Traffic from the EC2 instances in the VPC is routed through the Network Firewall endpoint and, if permitted, directed via an internet gateway to the target server.

Prerequisites

Before implementing this solution, ensure you have the following:

• An AWS account. If you don’t have one, you can create and activate it.
• An existing VPC configured with default routing to an internet gateway and a Network Firewall that includes a firewall policy. The example rule in the CloudFormation template expects the policy to use the standard action order for stateful rule groups. For guidance on setting up a Network Firewall, refer to the AWS Network Firewall Developer Guide.
• A DNS domain that you provide, allowing traffic for the intended protocol and port (or ports). The domain must resolve to IPv4 addresses, as IPv6 is not supported at this time.

Deploy the Solution

To deploy this solution, follow these steps:

1. Download the CloudFormation template from our GitHub repository.
2. Log into your AWS account and select the appropriate AWS Region for your Network Firewall.
3. Go to the CloudFormation service.
4. Select Stacks > Create Stack > With new resources (standard).
5. In the Specify template section, choose Upload a template file. Then select the file you downloaded and click Next.
6. Enter a stack name for your CloudFormation stack.
7. In the Parameters section, input the domain name you wish to control access for; the default is set to example.org, which, it should be noted, does not support SSH traffic.
8. Adjust the LambdaJobFrequency parameter to correspond with the DNS record’s TTL to ensure the Lambda function keeps the IP address current. After setting the parameters, click Next.

On the Configure stack options page, you can specify additional options or retain the defaults, then proceed to the Review page, where you can double-check the stack and parameters. Ensure to acknowledge that the template will create IAM resources and then select Create Stack. Monitor the stack creation status; it should indicate CREATE_COMPLETE upon success.

Testing the Solution

Before testing the new rule, confirm the Lambda function has been triggered at least once by the EventBridge rule. To verify the Lambda results:

1. Navigate to the Lambda function named Network-Firewall-Resolver-Function in the AWS Management Console, and select the Monitor tab, then click View logs in CloudWatch.
2. Choose the most recent log stream.
3. Look for an entry that confirms the StatefulRuleGroup was updated successfully.

Next, associate the stateful rule group created by the stack, Lambda-Managed-Stateful-Rule, with your existing Network Firewall policy. Navigate to VPC > Network Firewall > Firewall Policies, select your current policy, and in the Stateful rule groups section, choose Add unmanaged stateful rule groups. Select the checkbox for Lambda-Managed-Stateful-Rule, then click Add stateful rule group.

When the Lambda function executes successfully, it will resolve the IPv4 address for the specified domain (example.org) and update the stateful rule variable IP_NET. To validate this, navigate to VPC > Network Firewall > Network Firewall rule groups, select Lambda-Managed-Stateful-Rule, and check the rule variable section for IP_NET. If the Lambda function ran correctly, this variable will contain the IPv4 addresses for the domain.

For more insights on setting goals during uncertain times, refer to this blog post. Additionally, for authoritative guidance on workplace vaccine testing policies, visit SHRM. Lastly, if you’re interested in onboarding at Amazon, check out this excellent resource.