Profile Applicability:

  • Level 1

Description:

AWS Network Firewall is a managed network security service that protects your Amazon Virtual Private Cloud (VPC) from unwanted or malicious traffic. To ensure high availability and fault tolerance, it is recommended to deploy AWS Network Firewall across multiple Availability Zones (AZs). This SOP ensures that all deployed Network Firewalls are distributed across multiple AZs, providing redundancy and minimizing the risk of service disruption due to a single AZ failure.

Rationale:

  • High Availability: Deploying Network Firewalls across multiple AZs ensures that traffic is continuously inspected and protected even if one AZ experiences a failure.

  • Fault Tolerance: In case of a failure or issue in one AZ, traffic will still be routed through a different AZ where the firewall is operational, ensuring continuous protection for the VPC.

  • Disaster Recovery: Multi-AZ deployment increases the overall reliability and availability of security resources, minimizing the risk of service downtime.

  • Compliance: Some compliance frameworks require high availability and fault tolerance for security services. Ensuring that Network Firewalls are deployed across multiple AZs helps meet these regulatory requirements.

Impact:

Pros:

  • Enhanced Availability: Network Firewalls deployed across multiple AZs provide uninterrupted security services in case one AZ fails.

  • Resilience: The service can automatically recover from a failure in one AZ without affecting overall network security.

  • Reduced Risk: Multi-AZ deployment ensures that a single AZ failure does not expose the VPC to unprotected traffic, reducing the risk of attacks or data breaches.

Cons:

  • Cost: Deploying AWS Network Firewall across multiple AZs may incur higher costs, as resources are used in more than one AZ.

  • Configuration Complexity: Multi-AZ deployments may require additional configuration and management, increasing complexity.

Default Value:

By default, AWS Network Firewall is not deployed across multiple AZs. You need to manually configure the firewall to ensure multi-AZ deployment.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeVpcs

    • ec2:DescribeSubnets

    • network-firewall:DescribeFirewall

    • network-firewall:CreateFirewall

    • network-firewall:UpdateFirewall

  • AWS CLI installed and configured.

  • Basic understanding of VPC, Availability Zones, and AWS Network Firewall configuration.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Network Firewall under Services.

  3. In the Network Firewall Console, go to the Firewalls section.

  4. Select the Firewall you want to check.

  5. In the Firewall Details, check if the Firewall Subnet is deployed across multiple Availability Zones.

    • Firewall Subnet should span more than one AZ for multi-AZ deployment.

  6. If the firewall is only deployed in one AZ, proceed with enabling multi-AZ deployment as outlined in the Implementation Steps below.

Using AWS CLI:

  1. To describe the Firewall and check its AZ deployment, run the following command:

    Ensure All Network Firewall Firewalls Are Deployed Across Multiple Availability Zones (AZs)

  2. In the output, check the Availability Zones where the firewall is deployed. Ensure that multiple AZs are listed for the firewall's subnet.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Network Firewall.

  2. In the Network Firewall Console, select Firewalls.

  3. Select the Firewall you want to configure.

  4. In the Firewall Details, click Edit and navigate to the Firewall Subnet section.

  5. Ensure that the firewall is deployed across multiple Availability Zones.

    • If the firewall is only deployed in one AZ, update the subnet configuration to span multiple AZs.

  6. Click Save to apply the changes and deploy the firewall across multiple AZs.

Using AWS CLI:

  1. To create a Network Firewall in multiple AZs, run:

    aws network-firewall create-firewall \
  --firewall-name <firewall-name> \
  --firewall-policy-arn <firewall-policy-arn> \
  --subnet-maps <subnet-map> \
  --vpc-id <vpc-id> \
  --availability-zone <az1> <az2>

  1. If the firewall already exists, modify its deployment to include multiple AZs:

    aws network-firewall update-firewall \
  --firewall-arn <firewall-arn> \
  --subnet-maps <subnet-map-for-multi-az-deployment>

  1. Verify the update by describing the firewall configuration:

    aws network-firewall describe-firewall --firewall-arn <firewall-arn>

  2. Ensure that the firewall is now deployed across multiple Availability Zones.

Backout Plan:

Using AWS Console:

  1. If deploying Network Firewall in multiple AZs causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Network Firewall, select the Firewall, and go to the Subnet Mappings section.

  3. Remove the subnets in the additional AZs to revert to a single AZ deployment.

  4. Save the changes and verify that the firewall is no longer deployed across multiple AZs.

Using AWS CLI:

  1. To revert the firewall deployment to a single AZ, remove the extra subnet mappings:

    aws networkfirewall update-firewall --firewall-id <FIREWALL_ID> --subnet-mappings SubnetId=<ORIGINAL_SUBNET_ID>

  2. Verify that the firewall is no longer deployed across multiple AZs:

    aws networkfirewall describe-firewalls --firewall-id <FIREWALL_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.