AWS Network Firewall for Multi-Account Setups
Explore AWS Network Firewall's deployment models, security features, and compliance strategies for effective multi-account management in the UK.
AWS Network Firewall is a managed service that protects your AWS infrastructure, offering centralised and distributed deployment options for multi-account environments. It’s scalable, supports compliance like UK GDPR, and simplifies security management with tools like AWS Firewall Manager.
Key Highlights:
- Deployment Models: Choose from distributed, centralised, or combined setups based on traffic patterns, network size, and budget.
- Security Features: Stateful inspection, URL/IP filtering, intrusion prevention, and more.
- UK SMB Benefits: Meets GDPR requirements, isolates workloads, and offers detailed cost tracking.
- Cost Management: Use centralised designs, free VPC endpoints, and efficient logging to reduce expenses.
Quick Comparison of Deployment Models:
| Feature | Distributed | Centralised | Combined |
|---|---|---|---|
| East-West Traffic | Not supported | Supported | Supported |
| North-South Traffic | Supported | Supported | Supported |
| Cost Structure | Low per endpoint | High (Transit Gateway fees) | Mixed |
| Complexity | Low | High | Medium |
AWS Network Firewall ensures scalable security for UK businesses, helping manage costs while meeting compliance standards. Whether you’re a small business or scaling rapidly, it’s a flexible solution for protecting your AWS environment.
AWS re:Inforce 2022 - Deploying AWS Network Firewall at scale: athenahealth's journey (NIS308)
Requirements Before Setting Up AWS Network Firewall
Before rolling out AWS Network Firewall across multiple accounts, it's essential to establish a strong foundation. This involves setting up an organised structure, implementing robust security measures, and adhering to UK-specific compliance requirements.
Setting Up AWS Organisations and Security Baselines
AWS Organisations is the cornerstone of any multi-account setup. Begin by creating a single AWS Organisation and structuring accounts based on workloads. For instance, production workloads should be isolated under top-level organisational units (OUs) dedicated to specific tasks, while test and development accounts are kept separate. This separation not only simplifies policy enforcement but also helps maintain GDPR compliance by creating clear boundaries.
To secure the root account, ensure credentials are protected, use a shared email address for notifications, and enable multi-factor authentication (MFA). A group email ensures critical AWS notifications reach the appropriate team members. Implement MFA across all administrative accounts to guard against unauthorised access. Additionally, develop a consistent tagging strategy for all resources. This supports cost tracking, compliance reporting, and efficient resource management. For streamlined governance and pre-configured security baselines, AWS Control Tower is a helpful tool for setting up and managing multi-account environments.
IAM and Permission Requirements
Once the organisational structure is in place, focus on securing account access with strong Identity and Access Management (IAM) settings. Instead of relying on the root account, create dedicated administrative IAM users with the necessary permissions. Securing the root user and enabling MFA are critical steps to enhance account security.
Use AWS IAM Identity Center (formerly AWS Single Sign-On) to manage user access centrally across multiple accounts. For AWS Network Firewall, a service-linked role (AWSServiceRoleForNetworkFirewall) is automatically created, simplifying the permissions setup process.
Adopt the principle of least privilege by customising AWS managed policies to fit specific use cases. Further refine access control by adding conditions to IAM policies and validating them with IAM Access Analyzer before deployment. For UK SMBs handling personal data under GDPR, implementing MFA for all administrative accounts is especially important. AWS Network Firewall also supports attribute-based access control (ABAC), allowing permissions to be tailored using resource tags for more precise control.
UK Compliance and Cost Requirements
With your organisational and IAM configurations ready, the next step is to address compliance and cost concerns unique to the UK. Since the UK has incorporated GDPR into its domestic law (referred to as UK GDPR), ensure your firewall setup supports robust data protection. AWS provides a UK GDPR-compliant addendum to its Data Processing Addendum (DPA); confirm this addendum is in place for accounts handling personal data.
Firewall rules should align with data localisation requirements, ensuring sensitive information remains within approved geographic boundaries. For UK SMBs, setting cost allocation tags by unit is crucial to monitor Network Firewall expenses in GBP.
Leverage AWS Security Hub to centralise and prioritise security and compliance findings, giving you a comprehensive view of your security posture. Configure billing alerts in GBP to track expenses, as charges depend on the number of firewall endpoints and data processing volumes.
AWS Firewall Manager is a valuable tool for centrally managing firewall policies across multiple accounts. It simplifies compliance reporting and ensures consistent security policies. Additionally, verify that your VPC configuration supports symmetric routing to enable accurate traffic classification and filtering. Carefully plan your logging strategy - for example, logging traffic allowed by alert rules before pass rules - to create detailed audit trails that meet UK regulatory standards.
AWS Network Firewall Deployment Options for Multi-Account Environments
When planning your AWS Network Firewall deployment, selecting the right model for your multi-account setup is critical. This decision influences your security measures, operational complexity, and overall costs. Below, we break down the key deployment models and their unique features to help you make an informed choice.
Distributed vs Centralised Deployment Models
AWS Network Firewall provides three main deployment options: distributed, centralised, and a combined (hybrid) model. Each is tailored to different traffic patterns and organisational needs.
Distributed deployment places a separate AWS Network Firewall instance within each VPC. This setup ensures strong isolation, as each VPC maintains its own firewall with dedicated rules and policies. It's particularly effective for inspecting North-South traffic (traffic between your VPCs and the internet). However, it doesn't support East-West traffic (VPC-to-VPC communication).
Centralised deployment relies on a dedicated inspection VPC combined with AWS Transit Gateway to manage traffic across accounts. This model enables inspection of both East-West and North-South traffic, making it suitable for environments with complex inter-VPC communication. It centralises firewall management and requires an AWS Transit Gateway, offering a single control point for firewall policies.
The combined model incorporates elements of both approaches. It uses a central inspection VPC for East-West traffic while deploying distributed firewalls for handling internet ingress. This hybrid approach is ideal for organisations with diverse traffic patterns and varying security needs across their VPCs.
| Deployment Model | Distributed | Centralised | Combined |
|---|---|---|---|
| East-West Traffic (VPC to VPC) | Not supported | Supported | Supported |
| North-South Traffic (Internet) | Supported | Supported | Supported |
| North-South Traffic (On-premises) | Not supported | Supported | Supported |
| Prerequisites | AWS Network Firewall subnet | Inspection VPC and AWS Transit Gateway | AWS Network Firewall subnets; Inspection VPC and Transit Gateway |
| Management Approach | AWS Firewall Manager | Single AWS Network Firewall instance | AWS Firewall Manager |
| Source IP Visibility | Configuration dependent | Yes | Configuration dependent |
| Misconfiguration Risk | Lowest | Medium | Low |
| Cost Structure | Costs per firewall endpoint | Costs for Transit Gateway attachments, firewall endpoints, and data processing | Combined costs of both approaches |
Security isolation varies across these models. The distributed model offers the smallest blast radius, containing issues within individual VPCs. In contrast, the centralised model brings a moderate risk due to its shared inspection point. The combined approach balances these risks with selective deployments.
How to Choose the Right Model for Your Business
To decide which deployment model fits your needs, consider these factors:
- Traffic patterns: If your focus is internet-bound traffic, distributed deployment is a good match. For environments with significant inter-VPC communication, centralised or combined models are better options.
- Network size and complexity: Smaller organisations with fewer VPCs may find distributed deployment easier to manage. Larger, more complex networks benefit from centralised management.
- Compliance requirements: For example, meeting UK GDPR requirements might favour centralised deployment due to its ability to provide detailed logging and streamlined audit trails.
- Budget: Distributed deployment incurs costs for each firewall endpoint, whereas centralised deployment adds expenses for Transit Gateway and data processing.
- Technical expertise: Distributed deployments are simpler to manage, while centralised setups demand a deeper understanding of Transit Gateway and VPC architectures.
- Future growth: Organisations expecting rapid expansion or acquisitions may prefer centralised deployment for its scalability and standardised policy management.
If you're unsure about your long-term needs, consider a phased approach. Start with a distributed setup for immediate security and gradually transition to a centralised model as your organisation grows. This strategy allows you to build operational expertise while maintaining effective security coverage.
Once you've chosen the right model, you can move on to configuring AWS Network Firewall, as described in the next section.
How to Configure AWS Network Firewall Step-by-Step
Now that you've chosen your deployment model, it's time to set up AWS Network Firewall for your multi-account environment. This process involves creating rule groups and firewall policies, deploying firewall endpoints, and managing everything centrally across your organisation.
Creating and Linking Firewall Policies and Rule Groups
To start, you'll need rule groups as the foundation for your firewall policy. AWS Network Firewall uses two types of rule groups: stateless (for basic packet filtering) and stateful (for connection tracking and deep packet inspection).
Head to the AWS Management Console to create your firewall policy. In the Amazon VPC console, navigate to Network Firewall and select Firewall policies. Click Create firewall policy, and give it a clear, descriptive name that reflects its purpose in your multi-account setup.
While setting up, configure your stream exception policy and decide on stateless default actions, such as whether fragmented packets should be treated like full packets. For stateful rules, you’ll need to choose between strict processing or action order processing, as this affects both performance and rule effectiveness.
When adding rule groups, start with stateless groups for basic filtering, then layer in stateful groups for deeper inspection. If you’re using multiple stateless rule groups, arrange their processing order carefully, as the sequence determines precedence.
To share firewall resources across accounts, use AWS Resource Access Manager. You can share these resources with specific AWS accounts, organisational units, or your entire organisation through AWS Organisations. Keep in mind that firewall policies configured with TLS inspection cannot be shared. For consistent placement, always use Availability Zone IDs, not names, when sharing resources.
Once your policies are ready, the next step is to deploy firewall endpoints and configure routing to provide comprehensive protection.
Setting Up Firewall Endpoints and Configuring Routing
Firewall endpoints act as the connection points between your VPCs and AWS Network Firewall. Deploy these endpoints in every Availability Zone to ensure high availability.
AWS Network Firewall supports multiple VPC endpoints per firewall, allowing you to scale deployments across different Amazon Virtual Private Clouds. You can associate up to 50 VPC endpoints per Availability Zone with each firewall, making it suitable for complex architectures.
For centralised deployments using AWS Transit Gateway, you can create VPC endpoint associations to extend firewall protection to VPCs beyond your primary protected VPC. This setup enables traffic from multiple accounts to pass through a centralised inspection VPC.
Update your VPC route tables to direct traffic through the firewall endpoints. Enable appliance mode on AWS Transit Gateway attachments to ensure symmetric routing and prevent traffic from bypassing security controls.
Additionally, expand the $HOME_NET variable to include all CIDR ranges from your VPCs and on-premises networks. This ensures stateful rules can correctly identify internal traffic patterns across your multi-account setup.
If you're using AWS Control Tower, automation can simplify endpoint deployment. For instance, a Lambda function in your management account can listen for CreateManagedAccount lifecycle events and automatically configure the necessary routing associations.
Managing Rules Across Accounts with AWS Firewall Manager
After setting up firewall policies and endpoints, streamline rule management with AWS Firewall Manager. This service simplifies policy management across your organisation, removing the need to configure each account individually.
Appoint a Firewall Manager administrator to deploy organisation-wide policies and automatically apply them to new accounts. This administrator can create policies that enforce baseline security rules, such as blocking malicious IP addresses, restricting high-risk ports, or implementing your organisation’s security standards. Attach these rules to a Firewall Manager policy that covers all relevant accounts and resources.
AWS Firewall Manager now allows multiple administrators, offering more flexibility. For example, default administrators can define baseline security policies, while application teams manage their specific rules under separate administrator accounts. This approach balances centralised governance with operational flexibility.
Member accounts can also add their own rules to web ACLs created by the administrator. This allows unique application requirements to be met while maintaining compliance with organisational standards.
Firewall Manager integrates seamlessly with AWS Control Tower lifecycle events, automatically configuring routing associations for new accounts. This ensures that both security policies and network connectivity are in place as soon as an account becomes active.
For UK small and medium-sized businesses (SMBs) navigating compliance requirements, Firewall Manager’s centralised monitoring provides a clear view of security events across all accounts. This simplifies audits and helps with regulatory reporting, offering peace of mind in managing security across your organisation.
Best Practices and Cost Control for UK SMBs
Using AWS Network Firewall across multiple accounts can help UK small and medium-sized businesses (SMBs) achieve strong security while keeping costs in check. For SMBs balancing tight budgets with the need for robust protection, careful planning and optimisation are key to long-term success.
Security Best Practices for AWS Network Firewall
Start by implementing least privilege access for IAM permissions and reviewing them regularly. As your organisation grows and changes, permissions that were once necessary may no longer be appropriate, so periodic audits are essential.
Set up a routine schedule to review and update your firewall policies. Security threats evolve rapidly, and rules that worked six months ago might not be sufficient today. Monthly reviews of your stateful and stateless rule groups can help you remove outdated rules and add new ones to address emerging risks.
Enable detailed flow and alert logging to maintain visibility across your multi-account setup. Flow logs provide insights into traffic patterns, while alert logs offer stateful inspection data, which is critical for responding to incidents.
"Set the alert rule to be evaluated before the pass rule to log allowed traffic".
Use DNS Firewall to block malicious domains at the DNS layer. This step acts as a first line of defence, stopping harmful traffic before it even reaches your Network Firewall endpoints. Not only does this reduce security risks, but it also cuts down on processing costs.
To minimise data transfer charges, configure your route tables so traffic is directed to the local Network Firewall endpoint instead of endpoints in other Availability Zones. This ensures consistent security policies while keeping costs under control.
Cost Management and Reduction Tips
For UK SMBs, managing expenses is as important as maintaining security. AWS Network Firewall costs can add up quickly, especially when deployed across multiple accounts. Key charges include endpoint fees at £0.30 per hour and traffic processing costs of £0.05 per GB.
One way to reduce costs is by adopting a centralised inspection design using Transit Gateway. Instead of deploying separate firewalls in each account, route all traffic through a central inspection VPC. This approach lowers the number of endpoints needed across your organisation.
"Reduce the number of Network Firewall endpoints by leveraging a centralised inspection design and Transit Gateway (TGW)".
Segment your network with Transit Gateway route tables to avoid unnecessary traffic going through the Network Firewall. For instance, internal communications between trusted services often don't require deep packet inspection, allowing you to bypass the firewall without compromising security.
Where possible, use free VPC endpoints for AWS services like S3 and DynamoDB. Routing this traffic outside the Network Firewall eliminates processing costs and avoids potential bottlenecks.
When it comes to log storage, choose appropriate log types to cut costs. If detailed flow logs aren’t essential, consider enabling only alert logs to reduce CloudWatch storage expenses. For long-term storage, move logs to Amazon S3, which is more cost-effective.
"Move logs that need to be preserved long-term or for compliance from CloudWatch to Amazon S3".
Use Cost Explorer to monitor your AWS spending in GBP. Set up billing alerts to avoid overspending, and apply cost allocation tags to organise firewall costs by department or project. This approach provides clear visibility into expenses and supports multi-account strategies by enabling better cost tracking and optimisation.
Carefully plan your logging architecture, as costs can vary depending on the tools you use:
| Logging Pattern | Cost Multiple | Best For | Considerations |
|---|---|---|---|
| Amazon S3, Athena, QuickSight | 1x | Long-term storage and analysis | Requires analytics skills |
| Amazon CloudWatch | 1.8x | Real-time monitoring | Higher storage costs |
| Kinesis Data Firehose, OpenSearch | 2.7x+ | Rapid incident response | Requires cluster management |
Additional Resources for UK SMBs
For more detailed advice, UK SMBs can explore resources designed to address local compliance needs and cost-saving strategies. The AWS Optimisation Tips, Costs & Best Practices for Small and Medium Sized Businesses blog is a great starting point. It offers expert guidance on AWS cost management, security implementation, and automation tailored for SMBs.
Regularly engaging with AWS cost optimisation resources can help you stay informed about new pricing models and discounts. For predictable usage, consider Savings Plans or Reserved Instances to lower costs. Additionally, automated resource management ensures you’re not paying for unused firewall endpoints during off-peak times.
Finally, track the lifecycle of your firewall resources by tagging them with project timelines. This helps identify configurations that are no longer useful, especially in multi-account setups where resources can easily be overlooked.
Conclusion
AWS Network Firewall brings together a range of effective security measures, making it an appealing option for UK SMBs seeking advanced protection without the burden of extra operational complexity. It provides a scalable and cost-conscious solution, perfectly suited for businesses that are growing and need dependable security.
With automatic scaling to handle varying traffic levels and a 99.99% uptime, it ensures your security remains consistent and reliable across multiple accounts.
The use of AWS Transit Gateway for centralised management not only simplifies operations but also helps reduce costs by routing all traffic through a single inspection point. This approach ensures thorough security coverage while keeping expenses manageable.
Customisable security rules allow businesses to meet specific compliance requirements, whether it’s safeguarding sensitive customer information, securing AWS Direct Connect traffic, or controlling outbound communications. The firewall evolves to meet changing needs.
Additionally, integrating with AWS Firewall Manager makes it easier to deploy and manage security policies across all accounts, allowing businesses to maintain robust protection as they scale.
FAQs
What are the differences between distributed, centralised, and hybrid deployment models for AWS Network Firewall in multi-account environments?
In a distributed deployment, AWS Network Firewall is set up within each individual VPC. This gives you fine-grained control over security policies tailored to specific needs. The downside? Managing multiple firewalls across various accounts can quickly become complex and time-consuming.
A centralised deployment, on the other hand, brings all firewall management into a single inspection VPC. This setup simplifies policy enforcement and makes oversight easier. However, it does come with a trade-off: all traffic is funnelled through a central point, which could create potential bottlenecks.
The hybrid model blends the best of both worlds. Firewalls are deployed across multiple VPCs while still maintaining a central inspection point. This approach strikes a balance between security, performance, and ease of management, making it a versatile choice for many organisations.
How does AWS Network Firewall help businesses in the UK meet GDPR compliance, and what key features make this possible?
AWS Network Firewall supports businesses in the UK in meeting GDPR compliance by offering centralised policy management, detailed logging, and real-time monitoring. These capabilities help strengthen data protection, manage access controls effectively, and ensure thorough audit trails - key elements for adhering to UK GDPR standards.
The service works effortlessly with AWS Firewall Manager, allowing businesses to enforce security policies consistently across multiple accounts. This uniform application of security measures helps minimise the risk of compliance oversights. Additional features, such as traffic filtering and automated rule updates, further enhance secure and GDPR-compliant data management.
How can small and medium-sized businesses in the UK manage costs when using AWS Network Firewall across multiple accounts?
UK small and medium-sized businesses (SMBs) can keep AWS Network Firewall costs under control by leveraging AWS Organisations for consolidated billing. This feature offers a straightforward way to track all account expenses in one place. Adding resource tagging to your setup allows for precise tracking and accountability of costs tied specifically to your firewall usage.
Another smart move is setting up budgets and alerts. These tools let you monitor spending in real time, helping to avoid any surprise charges.
For easier account management, AWS Control Tower can simplify the process of setting up and governing multiple accounts. Additionally, make it a habit to check your cost and usage reports. These reports can highlight areas where you might optimise, such as tweaking firewall rules or scaling configurations to better align with your requirements. Not only do these steps help manage costs, but they also enhance the security and compliance of your AWS setup.
