Using aws networkfirewall with directconnect
TypeScriptWhen you want to set up an AWS Network Firewall with DirectConnect, you're essentially looking to create a secure pathway between your on-premises network and your AWS VPC, while also ensuring that the traffic that passes through is inspected and filtered by the firewall.
The Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). The AWS Direct Connect service, on the other hand, bypasses the public internet and establishes a dedicated network connection from your premises to AWS.
Here's an overview of how you might deploy this architecture:
-
AWS DirectConnect Connection: This represents the dedicated connection from your on-premises network to AWS.
-
AWS DirectConnect Gateway: To connect to multiple VPCs across different AWS regions.
-
VPC and Subnet: You'll need a Virtual Private Cloud (VPC) within AWS as a private network space to host your AWS resources.
-
Network Firewall: You deploy the firewall to your VPC to filter traffic.
The following TypeScript program demonstrates how to set up a Network Firewall and a DirectConnect connection using Pulumi:
import * as pulumi from '@pulumi/pulumi'; import * as aws from '@pulumi/aws'; // Create a new VPC for your resources. const vpc = new aws.ec2.Vpc("myVpc", { cidrBlock: "10.0.0.0/16", }); // Create subnets for the VPC. const subnetOne = new aws.ec2.Subnet("subnetOne", { vpcId: vpc.id, cidrBlock: "10.0.1.0/24", }); const subnetTwo = new aws.ec2.Subnet("subnetTwo", { vpcId: vpc.id, cidrBlock: "10.0.2.0/24", }); // Create an AWS Direct Connect Gateway. const dxGateway = new aws.directconnect.Gateway("myDxGateway", { amazonSideAsn: "64512", }); // Create an AWS Direct Connect Connection. const dxConnection = new aws.directconnect.Connection("myDxConnection", { location: "EqDC2", // Replace with your actual location bandwidth: "1Gbps", }); // Associate the DX Gateway with the VPC. const dxGatewayAssociation = new aws.directconnect.GatewayAssociation("myDxGatewayAssoc", { dxGatewayId: dxGateway.id, associatedGatewayId: vpc.id, }); // Create a Network Firewall Policy and a Rule Group // (Note this is a minimum example, and rules will need to be adjusted for your use case) const myFirewallPolicy = new aws.networkfirewall.FirewallPolicy("myFirewallPolicy", { firewallPolicy: { statelessDefaultActions: ["aws:pass"], statelessFragmentDefaultActions: ["aws:pass"], }, }); const myFirewall = new aws.networkfirewall.Firewall("myFirewall", { vpcId: vpc.id, firewallPolicyArn: myFirewallPolicy.arn, subnetMappings: [subnetOne, subnetTwo].map(subnet => ({ subnetId: subnet.id })), }); // Export the IDs of the resources export const vpcId = vpc.id; export const subnetOneId = subnetOne.id; export const subnetTwoId = subnetTwo.id; export const dxGatewayId = dxGateway.id; export const dxConnectionId = dxConnection.id; export const myFirewallId = myFirewall.id; export const myFirewallPolicyId = myFirewallPolicy.id;
In this program:
- We start by creating a VPC with a couple of subnets to host the network resources.
- The AWS Direct Connect gateway (
dxGateway
) and connection (dxConnection
) are set up to establish a physical connection to AWS. - After setting up the VPC and DirectConnect, we create an AWS Network Firewall policy, which is a container for the stateless and stateful rule groups and settings that define the firewall's behavior.
- Next, the AWS Network Firewall (
myFirewall
) itself is created and associated with the VPC and the firewall policy we defined earlier. - We export the IDs of the created resources so they can be referenced easily, for example, when you want to query their attributes or need to connect them with other infrastructure pieces.
Please note the following:
-
The
location
in the Direct Connect connection should be replaced with the actual AWS Direct Connect location you plan to use. This information can be found in the AWS Direct Connect details for your region. -
The firewall rules in this example are minimal, allowing all traffic (
aws:pass
). In practice, you'll likely have much more complex rules defining exactly what traffic should be allowed or blocked. -
Be aware that creating a DirectConnect connection typically involves coordination with your data center provider and AWS, and it may result in physical hardware being shipped and set up at your data center.
This code is meant to provide a starting point, and you should customize the resources and properties to fit your specific use case. Always refer to the AWS Pulumi documentation for detailed information about the resources and properties available.
-