Mastering AWS Security Appliances: Firewalls and Traffic Inspection

This study guide covers the deployment, management, and orchestration of security appliances within AWS, focusing on both native services like AWS Network Firewall and the integration of third-party appliances using Gateway Load Balancers (GWLB).

Learning Objectives

By the end of this module, you should be able to:

Differentiate between AWS WAF, AWS Network Firewall, and Gateway Load Balancer (GWLB) use cases.
Design architectures for securing inbound, outbound, and east-west (inter-VPC) traffic.
Implement centralized security management using AWS Firewall Manager.
Distinguish between stateful and stateless filtering mechanisms across various security layers.

Key Terms & Glossary

Deep Packet Inspection (DPI): A method of examining the data part of a packet as it passes an inspection point to search for protocol non-compliance, viruses, or spam. Example: Using AWS Network Firewall to block specific domain names in HTTP headers.
Stateful Filtering: A firewall capability that keeps track of the state of network connections. If inbound traffic is allowed, return outbound traffic is automatically permitted. Example: Security Groups.
Stateless Filtering: A firewall that treats each packet in isolation. Rules must be explicitly defined for both directions. Example: Network ACLs (NACLs).
Intrusion Detection/Prevention System (IDS/IPS): Security appliances that monitor network traffic for malicious activity and can take action to prevent it. Example: A third-party firewall deployed behind a GWLB.
East-West Traffic: Network traffic that moves laterally within a data center or between VPCs. Example: Traffic between a production VPC and a shared services VPC.

The "Big Idea"

In the AWS cloud, security is not a single "perimeter wall" but a layered defense-in-depth strategy. Security appliances act as the gatekeepers at different layers of the OSI model. While Security Groups and NACLs provide basic port/IP filtering, modern compliance and security requirements often demand higher-level inspection (Layer 7) and centralized orchestration to protect against sophisticated threats like SQL injection or data exfiltration.

Formula / Concept Box

Feature	OSI Layer	Statefulness	Scope
Security Groups	Layer 4 (Transport)	Stateful	Instance/ENI
Network ACLs	Layer 4 (Transport)	Stateless	Subnet
AWS WAF	Layer 7 (Application)	Stateful	ALB, CloudFront, API GW
AWS Network Firewall	Layers 3-7	Stateful & Stateless	VPC / Subnet Route
GWLB + Appliance	Layer 3 (Network)	Stateful	VPC / Fleet of Appliances

Hierarchical Outline

I. Inbound Security (North-South)
- AWS WAF: Protects web applications from common exploits (SQLi, XSS).
- AWS Shield: Managed DDoS protection (Standard vs. Advanced).
- AWS Network Firewall: Inspects non-HTTP protocols entering the VPC.
II. Outbound Security (Egress)
- Egress Filtering: Preventing data exfiltration to unauthorized domains.
- Forward Proxies: Using third-party appliances to filter web requests from internal instances.
III. Inter-VPC Security (East-West)
- Transit Gateway (TGW): Centralizing traffic flow through an inspection VPC.
- VPC Endpoint Policies: Controlling access to AWS services via PrivateLink.
IV. Centralized Management
- AWS Firewall Manager: Deploying consistent rules across an entire AWS Organization.

Visual Anchors

Inbound Web Traffic Flow

Loading Diagram...

Centralized Inspection Architecture (GWLB)

In this architecture, a "Security VPC" houses a fleet of third-party firewalls. Traffic from a "Consumer VPC" is routed through a GWLB Endpoint for inspection before reaching its destination.

\begin{tikzpicture}[node distance=2cm, every node/.style={font=\small}] \draw[thick, dashed] (0,0) rectangle (4,3) node[pos=0.1, above] {Consumer VPC}; \draw[thick, dashed] (6,0) rectangle (10,3) node[pos=0.1, above] {Security VPC};

code

\node (App) at (2,1.5) [draw, rectangle] {Application};
\node (GWLBE) at (3.5, 1.5) [draw, circle, inner sep=2pt] {GPE};
\node (GWLB) at (7, 1.5) [draw, fill=blue!10] {GWLB};
\node (Appliance) at (9, 1.5) [draw, fill=red!10] {Firewall};

\draw[<->, thick] (App) -- (GWLBE);
\draw[<->, thick, blue] (GWLBE) -- (GWLB) node[midway, above] {PrivateLink};
\draw[<->, thick] (GWLB) -- (Appliance);

\node[below] at (3.5, 1) {Endpoint};
\node[below] at (9, 1) {3rd Party};

\end{tikzpicture}

Definition-Example Pairs

Service: AWS Network Firewall
- Definition: A managed service that scales automatically to protect your VPC. It supports Suricata-compatible rules for DPI.
- Example: A company needs to block all SSH traffic $(Port 22)$ leaving their VPC unless it is destined for a specific management IP range.
Service: Gateway Load Balancer (GWLB)
- Definition: A service that makes it easy to deploy, scale, and manage your third-party virtual appliances.
- Example: Using a Palo Alto or Fortinet firewall image from AWS Marketplace to perform deep packet inspection on all traffic moving between two internal VPCs.
Service: AWS Firewall Manager
- Definition: A security management service to centrally configure and manage firewall rules across your accounts and resources in AWS Organizations.
- Example: Automatically applying a "No Port 22 Open to 0.0.0.0/0" rule to every new Security Group created in any account within the company's AWS Organization.

Worked Examples

Scenario: Securing Egress Traffic to specific Domains

Goal: Ensure that EC2 instances in a private subnet can only access github.com and pypi.org for software updates, blocking all other internet access.

Deployment: Deploy AWS Network Firewall in a dedicated "Inspection Subnet."
Routing: Modify the route table of the Application Subnet. Set the default route $(0.0.0.0/0)$ to point to the VPC Endpoint of the Network Firewall.
Rule Configuration:
- Create a Stateful Rule Group.
- Select "Domain List" as the inspection type.
- Add .github.com and .pypi.org to the allow list.
- Set the default action to "Deny" for all other domains.
Verification: An instance attempting to curl google.com will time out, while curl github.com will succeed.

Checkpoint Questions

Which AWS service is best suited for protecting against SQL Injection and Cross-Site Scripting (XSS)?
True or False: Security Groups are stateless, meaning you must define both inbound and outbound rules for a single connection.
What protocol does the Gateway Load Balancer use to encapsulate packets and maintain traffic context between the endpoint and the appliance?
How does AWS Firewall Manager simplify multi-account security?

▶Click to see answers

AWS WAF (Web Application Firewall).
False. Security Groups are stateful. NACLs are stateless.
GENEVE (Generic Network Virtualization Encapsulation) protocol (Port 6081).
It allows a central security team to mandate rules (WAF, Shield, Network Firewall, SG) across all accounts in an AWS Organization, ensuring compliance automatically for new resources.

Muddy Points & Cross-Refs

Network Firewall vs. WAF: Use WAF for Layer 7 HTTP/S specific threats. Use Network Firewall for Layer 3-7 general network traffic (like blocking SSH, or filtering non-web outbound traffic).
VPC Peering vs. Transit Gateway for Inspection: While VPC peering is cheaper, Transit Gateway is significantly easier to manage for "hub-and-spoke" inspection architectures where many VPCs need to route through one central security VPC.
Cost Considerations: AWS Network Firewall has a high hourly base cost per availability zone. For small environments, Security Groups and NACLs are the most cost-effective starting point.

Comparison Tables

Firewall Options Comparison

Feature	Security Group	Network Firewall	3rd Party Appliance (GWLB)
DPI Capability	No	Yes	Yes (Advanced)
Protocol Support	TCP/UDP/ICMP	All IP Protocols	All IP Protocols
Rule Limit	~60 rules/group	Thousands	Vendor Specific
Managed by	AWS (Service)	AWS (Service)	Customer (Appliance)
Scaling	Automatic	Automatic	Managed by GWLB
Signature-based IDS	No	Yes (Suricata)	Yes (Proprietary)