Important: This solution requires the use of AWS CodeCommit, which is no longer available to new customers. Existing customers of AWS CodeCommit can continue using and deploying this AWS Solution as normal.
Overview
Centralized Network Inspection on AWS configures the AWS resources needed to filter network traffic. This solution saves you time by automating the process of provisioning a centralized AWS Network Firewall to inspect traffic between your Amazon Virtual Private Clouds (Amazon VPCs).
Benefits
This solution allows you to modify rule groups and firewall policies in the configuration package in the AWS CodeCommit repository. This automatically invokes the AWS CodePipeline to run validation and deployment.
With this solution, you can inspect hundreds or thousands of Amazon VPCs and accounts in one place. You can also centrally configure and manage your AWS Network Firewall, firewall policies, and rule groups.
This solution helps you collaborate and manage the changes to the AWS Network Firewall configuration by using GitOps workflow.
Technical details
You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.
Step 1
The AWS CloudFormation template deploys an inspection VPC with a total of four subnets. Two of the subnets are used to create VPC Transit Gateway attachments and the other two subnets are used to create AWS Network Firewall endpoints.
Step 2
The CloudFormation template creates a new AWS CodeCommit repository and a network firewall configuration that allows all network traffic by default. This template also includes a set of examples to help you create new rule groups.
Step 3
Modifying the configuration package in the CodeCommit repository invokes the AWS CodePipeline to run the validation and deployment stages.
Step 4
The solution creates Amazon VPC route tables for each availability zone with a default route destination. A shared route table with firewall subnets is also created with the transit gateway ID as the default route destination.
Step 5
The solution also creates two AWS Key Management Service (AWS KMS) encryption keys. One of the keys is used to encrypt objects in the Amazon Simple Storage Service (Amazon S3) artifact, source code buckets, and AWS CodeBuild projects. The second key is used to encrypt the Network Firewall log destinations.
Step 6
AWS Identity and Access Management (IAM) roles are created to grant permissions to CodePipeline and CodeBuild stages to access S3 buckets and manage Network Firewall resources.
- Publish Date