Define firewall rules between elastic and dynamic AWS resources easily and efficiently, without worrying about dynamically allocated IP addresses in the cloud, in advance.
No longer create firewall rules covering entire AWS accounts, VPCs, subnets or Classless Inter-Domain Routing (CIDR) blocks, as firewall rules reference simple objects that you define and manage.
Firewall rules no longer require constant and manual maintenance, as AWS Network Firewall is automatically and continually configured to allow only the relevant flows based on the current configuration of referenced AWS resources. Rules are pruned when elastic resources no longer exist and synchronized if cloud resources are redeployed.
Create dynamic objects and rules via APIs and validate such requests against organizational policy-as-code and/or security approval processes.
The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.
The Amazon API Gateway provides the primary interface for the user to interact with this solution, including endpoints to manage the domain entities. Domain entities include rule, object, rule bundle, and list audit information.
Step 3 (Optional)
When enableOpa = true, a Lambda function invokes ECS-hosted OPA cluster to exercise validation on the request based on context. For example, Lambda function can validate if the requester is allowed to perform the CreateObject action.
An Amazon EventBridge rule is scheduled to invoke the Auto Config Lambda function. The frequency is based on the ruleResolutionInterval configuration; the default value is 10 minutes.
The auto config Lambda function requests domain entity data such as rule bundle, rule, and object from Amazon DynamoDB.
The auto config Lambda function queries the AWS Config aggregator to resolve defined object referenced by rule in the solution.
The auto Config Lambda function sends an update request to AWS Network Firewall.
Note: Before you launch the solution in the AWS Management Console, ensure that you meet the prerequisites in the implementation guide.