A primer on AWS Firewalls

All articles in

Network Security

A primer on AWS Firewalls

In traditional Data Centers and in Public Cloud, Firewalls are security measures designed to segment a network into different security zones, separating sensitive data and critical infrastructure from less trusted parts of the network. This isolation helps contain security breaches and limit potential damage. They act as the first line of defense, controlling inbound and outbound traffic based on predefined rules and policies. Thus, Firewalls ensure that only authorized users and systems can access specific resources or services.

In this short but thorough article, we will provide an overview of the current AWS Firewall capabilities and how to pick one Firewall solution over the other. Yes, AWS has multiple Firewall solutions each catering to a specific use case and so it’s important to learn when to use one over the other. 

We will be covering the 5 types of AWS Firewalls below – Security Groups, Network Access Control Lists, Web Application Firewall, Route 53 Resolver DNS Firewall and Network Firewall. Apart from the 5 firewalls, we will also briefly cover AWS Firewall Manager which is a centralized Firewall management service.

1. Security groups (SGs)

Security Groups are stateful firewalls that operate at an instance or resource level for Compute and Database type of AWS resources created within a VPC. They control traffic at the resource level by permitting or denying access based on policy rules defined for Protocol, Port range, ICMP type, and Source or destination IP address. Since SGs work with port and ip address filtering, they work at L3/L4 of the OSI model.   

2. Network Access Control Lists (NACLs)

Network Access Control Lists, or NACLs, are stateless packet filters that operate at the subnet level. The NACLs are similar to SG in the way that they also work at L3/L4 of the OSI model, and allow/deny traffic by filtering based on port/protocol and IP address.

What does Stateless Firewall even mean?

A very important thing to note here is that NACL is stateless. A stateless firewall does not keep track of the state or stateful information about active connections. Instead, it evaluates each network packet in isolation, independent of any previous or subsequent packets. Stateless NACLs do not maintain information about the state of established connections. They don’t remember if a packet is part of an existing connection, a new connection request, or part of an established session. Stateless NACLs make decisions based solely on individual packets’ characteristics, such as source and destination IP addresses, source and destination port numbers, and the protocol being used (e.g., TCP, UDP, or ICMP). Each packet is evaluated independently, without any reference to prior or subsequent packets. 

NACLs can’t dynamically allow reply packets for outgoing connections like stateful firewalls do. As a result, you need to explicitly define rules for both inbound and outbound traffic if necessary. This makes NACLs difficult to implement in an organizational setting.

Difference between NACL and Security Groups

This difference is very important, so let’s pause for a minute to understand this. 

Scope of Control:

NACLs: NACLs operate at the subnet level. They are associated with a specific subnet and control traffic entering or leaving that entire subnet.

Security Groups: Security Groups operate at a resource level. They are associated with individual resources like EC2, RDS, etc. and control traffic to and from those instances.

Stateful vs. Stateless:

NACLs: NACLs are stateless, meaning they don’t maintain connection state information. Ingress and egress rules must be defined separately, and return traffic for outgoing connections must be explicitly allowed.

Security Groups: Security Groups are stateful, which means they automatically allow return traffic for established connections initiated from inside the group. You only need to define inbound rules; outbound traffic is allowed by default.

Rule Evaluation Order:

NACLs: Rules in NACLs are evaluated in order based on rule number, and the first matching rule is applied. If no rule matches, the default action (DENY) is applied. Rules can be created for explicit “DENY” or  “ALLOW”. 

Security Groups: All rules in a Security Group are evaluated, and traffic is allowed if any rule permits it. There is no concept of rule order, and there are no “DENY” rules; if no rule explicitly allows traffic, it is denied by default.

Use Cases:

NACLs: NACLs are suitable for implementing broad network-level controls, such as blocking or allowing traffic between subnets or enforcing specific security policies at the subnet level.

Security Groups: Security Groups are well-suited for controlling access to individual resources and are often used for fine-grained network-level security.

3. Web Application Firewall (WAF)

WAF is a managed firewall service designed to protect web applications from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. WAF uses rules and conditions to inspect incoming HTTP/HTTPS requests and block malicious traffic. You can protect a wide range of AWS resources like Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, etc. 

Unlike SGs and NACLs which filter traffic at the L3/L4 layer of OSI, WAF works at L7 and thus is able to filter traffic based on the actual content/payload of the packet.

4. Route 53 Resolver DNS Firewall

Route 53 Resolver DNS Firewall provides advanced protection against DNS (Domain Name System)-based threats and malicious activity. It is designed to enhance the security and reliability of your DNS infrastructure by filtering and blocking potentially harmful DNS queries and responses. This service integrates with AWS Route 53 Resolver, which is a DNS resolution service that makes it easier to connect and route traffic between on-premises networks and AWS resources.

Unlike SGs and NACLs which filter traffic based on post/protocol and IP address, DNS firewalls can filter traffic for specific domain names e.g. blocking access to a known phishing website.

5. AWS Network Firewall

Till now the firewalls that we have discussed fall into 2 categories –

  1. Those that work at a resource-level – SGs (instances/databases), WAF (Web application resources like CloudFront, ALB, etc.), DNS Firewall (Route 53)
  2. Those that work at a subnet-level – NACLs 

But none of them is able to filter traffic at the perimeter of the VPC. If you need to learn more about foundational concepts around Virtual Private Cloud (VPC), take a look at our article on that topic – A Primer on AWS VPC and Connectivity Patterns.

AWS Network Firewall does exactly that i.e. it is stateful, managed, network firewall and intrusion detection and prevention service for the perimeter of VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection.

AWS Firewall Manager

AWS Firewall Manager is NOT an AWS Firewall, but it is a centralized management service that simplifies the administration of AWS Firewalls across multiple accounts and resources. It allows organizations to enforce security policies consistently across their AWS environment. 

For a quick demonstration of AWS Firewall Manager, please take a look at the below video lab on how to leverage AWS Firewall Manager for auditing AWS Security Groups.

Follow us on: