amazon-web-servicesamazon-ec2web-application-firewallnetwork-load-balancer

AWS Network Firewall + Network Load Balancer Architecture Question


We are implementing a custom web application in AWS that we hope will be well designed, reliable and secure, while also staying within a limited budget. Ideally the architecture we implement would provide a solid foundation on which we can build and grow in the future, or at least give us some experience with an architecture that we can evolve into in the future.

Key items to note:

Below is a simplified diagram of what we are thinking. We would appreciate any feedback that could be provided, especially around these questions.

  1. From testing we know that it is not possible to make an outbound API call from an EC2 instance without that instance having a public IP address, either by assigning the EC2 instance a public IP address (bad idea) or having some type of NAT functionality. Question is, does the Network Firewall provide the NAT functionality or would we need a separate NAT Gateway?
  2. When we implement the Network Firewall it looks like TLS is offloaded in the firewall. If so, how do we maintain encryption in transit all the way to the EC2 instances?
  3. If what we are proposing is just a really bad idea, please point us in the direction of an alternative architecture that would better serve what we are trying to accomplish.

Happy to answer questions. Thanks in advance for your help!

mb87

enter image description here


Solution

    1. Network Firewall doesn’t have a NAT option as of now. It will need to rely on the EC2’s own mapped Public IP or a NAT Gateway to get that to facilitate internet bound communication

    2. “TLS Inspection” (Not “offloading”) on Network Firewall is an optional feature and is expected to be used when you are hosting a TLS service. Eg: You are hosting a web application and the certificate (and Private Key) is added to ACM. For egress access you can do similar check but you will need to add a private CA to ACM and then your EC2 also need to trust this CA. If it is not a strict requirement, I would recommend to avoid this and stick to domain/SNI based rules instead.

    3. You could just make it a simple flat setup where the ingress/Egress flow is as below:

    Client Access: Client –[Internet]--> IGW > Network FW > NLB > Targets [EC2]

    API Calls from EC2: EC2 > NAT GW > Network FW > IGW >--[Internet]--> Servers

    You will need to have respective rules to cover both direction flow.

    Net Flow

    The setup will be as in the AWS document and one of the deployment explained there Link