AWS Landing Zone Accelerator - Part 4: Networking
Welcome back to my deep dive into the AWS Landing Zone Accelerator (LZA)!
We’ve made some good progress. In Part 1, we introduced the LZA and its benefits for building a well-managed AWS environment. Part 2 walked through setting up your AWS Organisation and creating new accounts. Then, in Part 3, we explored the LZA’s global settings, which allow for standardised configurations across your entire AWS organisation, ensuring consistency and simplified management.
Now, I’m going to shift our focus to a critical aspect of any AWS environment: networking. This part of the series will delve into the network configurations provided by the LZA, exploring how it helps you establish a secure, scalable, and well-structured network foundation for your AWS workloads.
IP Address Management (IPAM)
IP Address Management (IPAM) is the administration of IP address space. It encompasses the planning, tracking, and management of the IP addresses used in a network. In essence, it’s about knowing which IP addresses are available, which are assigned to which devices, and ensuring that IP addresses are used efficiently and without conflicts. IPAM is crucial because it prevents IP address overlaps, simplifies network troubleshooting, improves security by identifying unauthorised devices, and enables better capacity planning for future network growth. Without IPAM, managing IP addresses becomes a complex and error-prone manual process, especially in large and dynamic environments like cloud deployments.
Update the LZA configuration:
- Open the
network-config.yamlfile in your local copy of theaws-accelerator-configrepository. - Add the
ipamssection and make sure it looks something like this:
centralNetworkServices:
delegatedAdminAccount: Network
ipams:
- name: Organization-IPAM
region: eu-west-1
description: Enterprise IPAM for managing IP address space
operatingRegions:
- eu-west-1
scopes: []
pools:
- name: Top-Level-Pool
description: Top level pool for the organization
provisionedCidrs:
- '{{top-level-cidr}}'
- name: eu-west-1-pool
description: Regional pool for eu-west-1
sourceIpamPool: Top-Level-Pool
locale: eu-west-1
provisionedCidrs:
- "{{eu-west-1-pool}}"
- name: Development-eu-west-1
description: Pool for Development Environments in eu-west-1
sourceIpamPool: eu-west-1-pool
locale: eu-west-1
autoImport: true
shareTargets:
organizationalUnits:
- Infrastructure
- Non-Production
provisionedCidrs:
- "{{dev-eu-west-1-pool}}"
allocationResourceTags:
- key: SDLC
value: Dev
- name: Test-eu-west-1
description: Pool for Test Environments in eu-west-1
sourceIpamPool: eu-west-1-pool
locale: eu-west-1
autoImport: true
shareTargets:
organizationalUnits:
- Infrastructure
- Non-Production
provisionedCidrs:
- "{{test-eu-west-1-pool}}"
allocationResourceTags:
- key: SDLC
value: Test
- name: Pre-Production-eu-west-1
description: Pool for Pre-Production Environments in eu-west-1
sourceIpamPool: eu-west-1-pool
locale: eu-west-1
autoImport: true
shareTargets:
organizationalUnits:
- Infrastructure
- Non-Production
provisionedCidrs:
- "{{pre-prod-eu-west-1-pool}}"
allocationResourceTags:
- key: SDLC
value: Pre-Prod
- name: Production-eu-west-1
description: Pool for Production Environments in eu-west-1
sourceIpamPool: eu-west-1-pool
locale: eu-west-1
autoImport: true
shareTargets:
organizationalUnits:
- Infrastructure
- Production
provisionedCidrs:
- "{{prod-eu-west-1-pool}}"
allocationResourceTags:
- key: SDLC
value: Prod
- Open the
replacements-config.yamlfile in your local copy of theaws-accelerator-configrepository. - Add the following section and make sure it looks something like this:
# Home Network CIDR
- key: top-level-cidr
type: String
value: 10.0.0.0/8
# IPAM Pools - eu-west-1
- key: eu-west-1-pool
type: String
value: 10.0.0.0/12
# Sub Pools
- key: dev-eu-west-1-pool
type: String
value: 10.0.0.0/14
- key: test-eu-west-1-pool
type: String
value: 10.4.0.0/14
- key: pre-prod-eu-west-1-pool
type: String
value: 10.8.0.0/14
- key: prod-eu-west-1-pool
type: String
value: 10.12.0.0/14
This configuration sets up AWS IPAM to manage IP addresses in your LZA. It creates a hierarchy of IP pools: a top-level pool for the whole organization, a regional pool for eu-west-1, and separate pools for development, test, pre-production, and production environments within that region. This allows IPAM to automatically assign addresses from the correct pool based on the environment, preventing conflicts and ensuring efficient IP usage.
The IPAM configuration leverages the replacements-config.yaml file to define variables for the CIDR blocks of each pool (e.g., top-level-cidr, eu-west-1-pool, dev-eu-west-1-pool). This keeps your configuration organized and allows you to easily manage these values in a central location.
Save your changes:
- Use these commands to save your changes and update the LZA configuration:
git add .
git commit -m "Updating the IPAM Configuration"
git push
Transit Gateway
A Transit Gateway is a network hub that connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks. It simplifies network management, improves scalability, and centralises control over your cloud network traffic.
Benefits of Transit Gateway:
- Simplified Network Architecture: Connect everything to the Transit Gateway, eliminating complex peering relationships.
- Scalability: Easily add or remove connections without disrupting the network.
- Centralised Management: Provides a single point of control for managing network traffic.
- Improved Security: Enhances security by consolidating connections and enabling consistent security measures.
- Cost Optimisation: Optimises network traffic flow and reduces the need for complex configurations.
Update the LZA configuration:
- Open the
network-config.yamlfile in your local copy of theaws-accelerator-configrepository. - Add the
transitGatewayssection and make sure it looks something like this:
transitGateways:
- name: Network-eu-west-1-TGW
description: Transit Gateway in eu-west-1
account: Network
region: eu-west-1
shareTargets:
organizationalUnits:
- Root
asn: 64512
dnsSupport: enable
vpnEcmpSupport: enable
defaultRouteTableAssociation: disable
defaultRouteTablePropagation: disable
autoAcceptSharingAttachments: enable
routeTables:
- name: Network-External-eu-west-1
routes: []
- name: Network-Shared-Services-eu-west-1
routes: []
- name: Network-Shared-Services-eu-west-1-Inspection
routes: []
- name: Network-Dev-eu-west-1
routes: []
- name: Network-Dev-eu-west-1-Inspection
routes:
- destinationCidrBlock: 0.0.0.0/0
attachment:
account: Network
vpcName: Network-Dev-eu-west-1-Inspection-VPC
- name: Network-Test-eu-west-1
routes: []
- name: Network-Test-eu-west-1-Inspection
routes:
- destinationCidrBlock: 0.0.0.0/0
attachment:
account: Network
vpcName: Network-Test-eu-west-1-Inspection-VPC
- name: Network-Pre-Prod-eu-west-1
routes: []
- name: Network-Pre-Prod-eu-west-1-Inspection
routes:
- destinationCidrBlock: 0.0.0.0/0
attachment:
account: Network
vpcName: Network-Pre-Prod-eu-west-1-Inspection-VPC
- name: Network-Prod-eu-west-1
routes: []
- name: Network-Prod-eu-west-1-Inspection
routes:
- destinationCidrBlock: 0.0.0.0/0
attachment:
account: Network
vpcName: Network-Prod-eu-west-1-Inspection-VPC
This configuration defines a Transit Gateway in the eu-west-1 region, deployed within an AWS Landing Zone Accelerator (LZA) framework. Residing in the Network account and shared across the organisation, the Transit Gateway supports DNS and VPN ECMP. It uses separate route tables for Dev, Test, and Prod environments, plus dedicated inspection route tables that enforce security by routing all traffic through inspection VPCs. Environment-specific route tables are currently empty, relying on route propagation from connected VPCs.
Save your changes:
- Use these commands to save your changes and update the LZA configuration:
git add .
git commit -m "Updating the Transit Gateway Configuration"
git push
Network Orchestrator for Transit Gateway
Network Orchestrator for Transit Gateway simplifies the management and automation of complex network configurations involving Transit Gateways. It acts as a central control plane, allowing you to define, deploy, and manage network connectivity across multiple AWS accounts, regions, and on-premises environments.
Benefits of Network Orchestrator:
- Automation: Automates network configuration tasks, reducing errors and speeding up deployments.
- Centralised Management: Provides a single pane of glass for managing your entire Transit Gateway network.
- Consistency: Ensures consistency across your network by defining configurations as code.
- Scalability: Enables easy network scaling by automating provisioning and configuration of new connections.
- Improved Agility: Respond to changing needs quickly with automation and centralised management.
Update the LZA configuration:
- Open the
customizations-config.yamlfile in your local copy of theaws-accelerator-configrepository. - Add the
transitGatewayssection and make sure it looks something like this:
customizations:
cloudFormationStacks:
- name: STNOOrganizationRole
description: Deploy Network Orchestrator (STNO) Organization IAM Role
deploymentTargets:
accounts:
- Management
regions:
- eu-west-1
template: custom-config-templates/network-orchestration-organization-role.yaml
runOrder: 2
terminationProtection: true
parameters:
- name: HubAccount
value: "{{account Network}}"
- name: STNOHubEUWest1
description: Deploy Network Orchestrator (STNO) Hub Config for eu-west-1
deploymentTargets:
accounts:
- Network
regions:
- eu-west-1
template: custom-config-templates/network-orchestration-hub.yaml
runOrder: 4
terminationProtection: true
parameters:
- name: DeployWebUi
value: "No"
- name: AllowExternalPrincipals
value: "No"
- name: ExistingTransitGatewayId
value: "{{resolve:ssm:/accelerator/network/transitGateways/Network-Prod-eu-west-1-TGW/id}}"
- name: OrganizationManagementAccountRoleArn
value: arn:aws:iam::{{account Management}}:role/STNO-Organization-Information-Role-eu-west-1
- name: Principals
value: arn:aws:organizations::{{account Management}}:organization/{{sra-organization-id}}
- name: RegisterTransitGateway
value: "Yes"
- name: STNOSpokeAccounts
description: Deploy Network Orchestrator (STNO) Spoke Config
deploymentTargets:
organizationalUnits:
- Root
excludedAccounts:
- Management
- Network
- LogArchive
- Audit
regions:
- eu-west-1
template: custom-config-templates/network-orchestration-spoke.yaml
runOrder: 6
terminationProtection: true
parameters:
- name: HubAccount
value: '{{account Network}}'
- name: HomeRegion
value: eu-west-1
This customization implements a Network Orchestrator (STNO) within the AWS Landing Zone Accelerator (LZA) using three CloudFormation stacks. These stacks automate network connectivity setup and management across the AWS Organization.
- STNOOrganizationRole: Deployed to the Management account, this stack creates an IAM role (STNO-Organization-Information-Role-eu-west-1). This role provides the STNO with the necessary permissions to manage network resources across the entire organization. It’s a foundational component for centralized network control.
- STNOHubEUWest1: Deployed to the Network Production account (Network) in the eu-west-1 region, this stack configures the central STNO hub. It performs several key actions:
- Connects the STNO hub to an existing Transit Gateway (Network-Prod-eu-west-1-TGW), retrieved from SSM Parameter Store. This Transit Gateway serves as the core of the network connectivity.
- Configures STNO settings, including options like deploying a web UI and allowing external principals.
- Registers the Transit Gateway with the STNO, enabling the STNO to manage routing and connectivity through the gateway.
- Links the STNO to the organization using the organization ID.
- References the organization-wide IAM role created by the STNOOrganizationRole stack.
- STNOSpokeAccounts: Deployed to all accounts within the Root OU except Management, Network, Log Archive, and Audit, this stack configures the STNO spoke components. This enables the STNO to manage network connectivity for all workload accounts. These spoke configurations connect back to the central STNO hub in the Network Production account (Network) within the eu-west-1 region.
Save your changes:
- Use these commands to save your changes and update the LZA configuration:
git add .
git commit -m "Adding Network Orchestrator for Transit Gateway"
git push
VPC Provisioning via Service Catalog
AWS Service Catalog allows you to create and manage catalogs of approved services for use on AWS. This helps ensure that your VPCs are deployed in a consistent and compliant manner.
Benefits of Service Catalog for VPC Provisioning:
- Standardised deployments: Create a portfolio of approved VPC configurations that meet your organisation’s requirements.
- Consistent management: Deploy and manage the lifecycle of your VPCs (updates, deletion) through Service Catalog.
Update the LZA configuration:
- Open the
customizations-config.yamlfile in your local copy of theaws-accelerator-configrepository. - Add the
serviceCatalogPortfoliossection and make sure it looks something like this:
customizations:
serviceCatalogPortfolios:
- name: "{{org-portfolio-name}}"
provider: LZA
account: Management
regions:
- eu-west-1
shareTargets:
organizationalUnits:
- Root
shareTagOptions: true
portfolioAssociations:
- type: Role
name: AWSControlTowerExecution
propagateAssociation: true
- type: PermissionSet
name: AdministratorAccess
propagateAssociation: true
products:
- name: VPC
description: VPC Deployment for Centralised Connectivity
owner: LZA
distributor: LZA
versions:
- name: v1
description: VPC deployment - Product
template: service-catalog-templates/vpc-with-tgw-ce-and-centralized-vpces-with-ipam.yaml
tagOptions:
- key: SDLC
values: [Production,Development,Test,Pre-Production]
This configuration uses the LZA to create a Service Catalog portfolio containing a VPC product. This product, based on a CloudFormation template, provisions a complex VPC infrastructure. The portfolio is shared across the entire AWS organization and access is granted to the AWSControlTowerExecution role and AdministratorAccess permission set. The SDLC tag option allows for environment classification.
- name: PortfolioAssociations
description: Service Catalog Portfolio Associations config
deploymentTargets:
accounts:
- Management
regions:
- eu-west-1
- eu-central-1
- ap-southeast-2
template: custom-config-templates/custom-service-catalog-portfolio-associations.yaml
runOrder: 3
terminationProtection: true
parameters:
- name: pRoleNameForPortfolioShareAccess
value: "{{org-portfolio-share-access-role}}"
- name: pPortfolioNameForShareAccess
value: "{{org-portfolio-name}}"
- Open the
replacements-config.yamlfile in your local copy of theaws-accelerator-configrepository. - Add the following section and make sure it looks something like this:
- key: org-portfolio-name
type: String
value: "Org-Portfolio"
- key: org-portfolio-share-access-role
type: String
value: "DevOpsAdmins"
Because the LZA doesn’t directly support associating IAM Identity Center Permission Sets with Service Catalog portfolios (specifically, it lacks wildcard support), we’ve implemented a workaround. A Lambda function, triggered by a CloudFormation custom resource within the customizations-config.yaml template, programmatically adds the necessary Permission Set associations.
Save your changes:
- Use these commands to save your changes and update the LZA configuration:
git add .
git commit -m "Adding Service Catalog Product for Amazon VPC"
git push
VPC Endpoints
VPC endpoints provide a secure and private connection between your VPC and supported AWS services without traversing the public internet.
Benefits of VPC Endpoints:
- Enhanced Security: Isolates traffic within the AWS network.
- Improved Performance: Reduces latency and potential network congestion.
- Simplified Network Management: Eliminates the need for complex internet-facing configurations.
Centralising VPC endpoints offers further benefits:
- Cost Optimisation: Minimises the number of endpoints.
- Simplified Management: Easier to manage and maintain access to AWS services.
- Consistent Security: Enforces consistent security policies.
- Improved Efficiency: Reduces inter-VPC traffic.
Update the LZA configuration:
- Open the
network-config.yamlfile in your local copy of theaws-accelerator-configrepository. - Add the
vpcssection and make sure it looks something like this:
vpcs:
- name: Network-Prod-eu-west-1-Endpoints-Vpc
account: Network
region: eu-west-1
ipamAllocations:
- ipamPoolName: Production-eu-west-1
netmaskLength: 22
internetGateway: false
enableDnsHostnames: true
enableDnsSupport: true
instanceTenancy: default
defaultSecurityGroupRulesDeletion: true
routeTables:
- name: Network-Prod-eu-west-1-Endpoints-Tgw-Rtb-A
routes: []
- name: Network-Prod-eu-west-1-Endpoints-Tgw-Rtb-B
routes: []
- name: Network-Prod-eu-west-1-Endpoints-Tgw-Rtb-C
routes: []
- name: Network-Prod-eu-west-1-Endpoints-Private-Rtb-A
routes:
- name: TgwRoute
destination: 0.0.0.0/0
type: transitGateway
target: Network-Prod-eu-west-1-TGW
- name: Network-Prod-eu-west-1-Endpoints-Private-Rtb-B
routes:
- name: TgwRoute
destination: 0.0.0.0/0
type: transitGateway
target: Network-Prod-eu-west-1-TGW
- name: Network-Prod-eu-west-1-Endpoints-Private-Rtb-C
routes:
- name: TgwRoute
destination: 0.0.0.0/0
type: transitGateway
target: Network-Prod-eu-west-1-TGW
subnets:
- name: Network-Prod-eu-west-1-Endpoints-Private-Subnet-A
mapPublicIpOnLaunch: false
availabilityZone: a
routeTable: Network-Prod-eu-west-1-Endpoints-Private-Rtb-A
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 24
- name: Network-Prod-eu-west-1-Endpoints-Private-Subnet-B
mapPublicIpOnLaunch: false
availabilityZone: b
routeTable: Network-Prod-eu-west-1-Endpoints-Private-Rtb-B
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 24
- name: Network-Prod-eu-west-1-Endpoints-Private-Subnet-C
mapPublicIpOnLaunch: false
availabilityZone: c
routeTable: Network-Prod-eu-west-1-Endpoints-Private-Rtb-C
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 24
- name: Network-Prod-eu-west-1-Endpoints-Tgw-Subnet-A
mapPublicIpOnLaunch: false
availabilityZone: a
routeTable: Network-Prod-eu-west-1-Endpoints-Tgw-Rtb-A
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Endpoints-Tgw-Subnet-B
mapPublicIpOnLaunch: false
availabilityZone: b
routeTable: Network-Prod-eu-west-1-Endpoints-Tgw-Rtb-B
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Endpoints-Tgw-Subnet-C
mapPublicIpOnLaunch: false
availabilityZone: c
routeTable: Network-Prod-eu-west-1-Endpoints-Tgw-Rtb-C
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
transitGatewayAttachments:
- name: Network-Prod-eu-west-1-Endpoints-Vpc-Tgw-Attachment
transitGateway:
name: Network-Prod-eu-west-1-TGW
account: Network
routeTableAssociations:
- Network-Shared-Services-eu-west-1
routeTablePropagations:
- Network-Shared-Services-eu-west-1
- Network-Prod-eu-west-1
- Network-Pre-Prod-eu-west-1
- Network-Dev-eu-west-1
- Network-Test-eu-west-1
subnets:
- Network-Prod-eu-west-1-Endpoints-Tgw-Subnet-A
- Network-Prod-eu-west-1-Endpoints-Tgw-Subnet-B
- Network-Prod-eu-west-1-Endpoints-Tgw-Subnet-C
interfaceEndpoints:
central: true
defaultPolicy: Default
subnets:
- Network-Prod-eu-west-1-Endpoints-Private-Subnet-A
- Network-Prod-eu-west-1-Endpoints-Private-Subnet-B
- Network-Prod-eu-west-1-Endpoints-Private-Subnet-C
endpoints:
- service: ec2
securityGroup: Network-Prod-eu-west-1-Endpoints-Private-Sg
- service: ec2messages
securityGroup: Network-Prod-eu-west-1-Endpoints-Private-Sg
- service: ssm
securityGroup: Network-Prod-eu-west-1-Endpoints-Private-Sg
- service: ssmmessages
securityGroup: Network-Prod-eu-west-1-Endpoints-Private-Sg
# Additional Endpoints can be added as required
This LZA configuration sets up a VPC in the eu-west-1 region specifically for hosting private interface endpoints. It’s isolated from the internet, uses IPAM for address management, and connects to a Transit Gateway for communication with other environments. The VPC is configured as the central location for interface endpoints to services like EC2 and SSM, ensuring secure and private access within the AWS network.
Save your changes:
- Use these commands to save your changes and update the LZA configuration:
git add .
git commit -m "Adding Centralised VPC Endpoints"
git push
Traffic Inspection with AWS Network Firewall
AWS Network Firewall allows you to filter traffic at the perimeter of your VPC or at the subnet level, providing fine-grained control over network traffic flow.
Benefits of Traffic Inspection:
- Identify and Block Malicious Activity: Analyse traffic for threats like malware and intrusion attempts.
- Enforce Security Policies: Control which traffic is allowed or denied.
- Gain Visibility into Network Traffic: Understand traffic patterns and identify potential vulnerabilities.
- Prevent Data Loss: Monitor traffic for sensitive data to prevent unauthorised access and exfiltration.
Update the LZA configuration:
- Open the
network-config.yamlfile in your local copy of theaws-accelerator-configrepository. - Update the
vpcssection to add something like this:
- name: Network-Prod-eu-west-1-Inspection-Vpc
account: Network
region: eu-west-1
ipamAllocations:
- ipamPoolName: Production-eu-west-1
netmaskLength: 22
internetGateway: true
enableDnsHostnames: true
enableDnsSupport: true
instanceTenancy: default
defaultSecurityGroupRulesDeletion: true
routeTables:
- name: Network-Prod-eu-west-1-Inspection-Tgw-Rtb-A
routes:
- name: NfwRoute
destination: 0.0.0.0/0
type: networkFirewall
target: Network-Prod-eu-west-1-nfw
targetAvailabilityZone: a
- name: Network-Prod-eu-west-1-Inspection-Tgw-Rtb-B
routes:
- name: NfwRoute
destination: 0.0.0.0/0
type: networkFirewall
target: Network-Prod-eu-west-1-nfw
targetAvailabilityZone: b
- name: Network-Prod-eu-west-1-Inspection-Tgw-Rtb-C
routes:
- name: NfwRoute
destination: 0.0.0.0/0
type: networkFirewall
target: Network-Prod-eu-west-1-nfw
targetAvailabilityZone: c
- name: Network-Prod-eu-west-1-Inspection-Private-Rtb-A
routes:
- name: TgwRoute
destination: "{{top-level-cidr}}"
type: transitGateway
target: Network-Prod-eu-west-1-TGW
- name: default-route
destination: 0.0.0.0/0
type: natGateway
target: Network-Prod-eu-west-1-Inspection-Vpc-Ngw-A
- name: Network-Prod-eu-west-1-Inspection-Private-Rtb-B
routes:
- name: TgwRoute
destination: "{{top-level-cidr}}"
type: transitGateway
target: Network-Prod-eu-west-1-TGW
- name: default-route
destination: 0.0.0.0/0
type: natGateway
target: Network-Prod-eu-west-1-Inspection-Vpc-Ngw-B
- name: Network-Prod-eu-west-1-Inspection-Private-Rtb-C
routes:
- name: TgwRoute
destination: "{{top-level-cidr}}"
type: transitGateway
target: Network-Prod-eu-west-1-TGW
- name: default-route
destination: 0.0.0.0/0
type: natGateway
target: Network-Prod-eu-west-1-Inspection-Vpc-Ngw-C
- name: Network-Prod-eu-west-1-Inspection-Public-Rtb-A
routes:
- name: default-route
destination: 0.0.0.0/0
type: internetGateway
target: IGW
- name: NfwRoute
destination: '{{top-level-cidr}}'
type: networkFirewall
target: Network-Prod-eu-west-1-nfw
targetAvailabilityZone: a
- name: Network-Prod-eu-west-1-Inspection-Public-Rtb-B
routes:
- name: default-route
destination: 0.0.0.0/0
type: internetGateway
target: IGW
- name: NfwRoute
destination: '{{top-level-cidr}}'
type: networkFirewall
target: Network-Prod-eu-west-1-nfw
targetAvailabilityZone: b
- name: Network-Prod-eu-west-1-Inspection-Public-Rtb-C
routes:
- name: default-route
destination: 0.0.0.0/0
type: internetGateway
target: IGW
- name: NfwRoute
destination: '{{top-level-cidr}}'
type: networkFirewall
target: Network-Prod-eu-west-1-nfw
targetAvailabilityZone: c
subnets:
- name: Network-Prod-eu-west-1-Inspection-Private-Subnet-A
availabilityZone: a
routeTable: Network-Prod-eu-west-1-Inspection-Private-Rtb-A
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 24
- name: Network-Prod-eu-west-1-Inspection-Private-Subnet-B
availabilityZone: b
routeTable: Network-Prod-eu-west-1-Inspection-Private-Rtb-B
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 24
- name: Network-Prod-eu-west-1-Inspection-Private-Subnet-C
availabilityZone: c
routeTable: Network-Prod-eu-west-1-Inspection-Private-Rtb-C
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 24
- name: Network-Prod-eu-west-1-Inspection-Tgw-Subnet-A
availabilityZone: a
routeTable: Network-Prod-eu-west-1-Inspection-Tgw-Rtb-A
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Inspection-Tgw-Subnet-B
availabilityZone: b
routeTable: Network-Prod-eu-west-1-Inspection-Tgw-Rtb-B
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Inspection-Tgw-Subnet-C
availabilityZone: c
routeTable: Network-Prod-eu-west-1-Inspection-Tgw-Rtb-C
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Inspection-Firewall-Subnet-A
availabilityZone: a
routeTable: Network-Prod-eu-west-1-Inspection-Private-Rtb-A
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Inspection-Firewall-Subnet-B
availabilityZone: b
routeTable: Network-Prod-eu-west-1-Inspection-Private-Rtb-B
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Inspection-Firewall-Subnet-C
availabilityZone: c
routeTable: Network-Prod-eu-west-1-Inspection-Private-Rtb-C
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Inspection-Public-Subnet-A
availabilityZone: a
routeTable: Network-Prod-eu-west-1-Inspection-Public-Rtb-A
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Inspection-Public-Subnet-B
availabilityZone: b
routeTable: Network-Prod-eu-west-1-Inspection-Public-Rtb-B
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
- name: Network-Prod-eu-west-1-Inspection-Public-Subnet-C
availabilityZone: c
routeTable: Network-Prod-eu-west-1-Inspection-Public-Rtb-C
ipamAllocation:
ipamPoolName: Production-eu-west-1
netmaskLength: 28
natGateways:
- name: Network-Prod-eu-west-1-Inspection-Vpc-Ngw-A
subnet: Network-Prod-eu-west-1-Inspection-Public-Subnet-A
- name: Network-Prod-eu-west-1-Inspection-Vpc-Ngw-B
subnet: Network-Prod-eu-west-1-Inspection-Public-Subnet-B
- name: Network-Prod-eu-west-1-Inspection-Vpc-Ngw-C
subnet: Network-Prod-eu-west-1-Inspection-Public-Subnet-C
transitGatewayAttachments:
- name: Network-Prod-eu-west-1-Inspection-Vpc-Tgw-Attachment
transitGateway:
name: Network-Prod-eu-west-1-TGW
account: Network
options:
applianceModeSupport: enable
routeTableAssociations:
- Network-Prod-eu-west-1
subnets:
- Network-Prod-eu-west-1-Inspection-Tgw-Subnet-A
- Network-Prod-eu-west-1-Inspection-Tgw-Subnet-B
- Network-Prod-eu-west-1-Inspection-Tgw-Subnet-C
useCentralEndpoints: true
This configuration creates a specialided VPC within the LZA, acting as a central point for inspecting network traffic. It allows for comprehensive monitoring and filtering of traffic entering/exiting the VPC and traffic between other connected VPCs.
- Add the
networkFirewallsection and make sure it looks something like this:
networkFirewall:
firewalls:
- name: Network-Prod-eu-west-1-nfw
description: Inspection VPC Network Firewall
firewallPolicy: prod-nfw-policy
subnets:
- Network-Prod-eu-west-1-Inspection-Firewall-Subnet-A
- Network-Prod-eu-west-1-Inspection-Firewall-Subnet-B
- Network-Prod-eu-west-1-Inspection-Firewall-Subnet-C
vpc: Network-Prod-eu-west-1-Inspection-Vpc
loggingConfiguration:
- destination: s3
type: ALERT
- destination: cloud-watch-logs
type: FLOW
policies:
- name: prod-nfw-policy
firewallPolicy:
statelessDefaultActions: ['aws:forward_to_sfe']
statelessFragmentDefaultActions: ['aws:forward_to_sfe']
statefulEngineOptions: STRICT_ORDER
statefulRuleGroups:
- name: prod-domain-list-group
priority: 100
- name: prod-stateful-group
priority: 101
regions:
- eu-west-1
shareTargets:
organizationalUnits:
- Root
rules:
- name: prod-domain-list-group
regions:
- eu-west-1
capacity: 1000
type: STATEFUL
ruleGroup:
statefulRuleOptions: STRICT_ORDER
rulesSource:
rulesSourceList:
generatedRulesType: ALLOWLIST
targets:
- '.amazon.com'
- '.amazonaws.com'
# Additional Domains can be added
targetTypes: ['TLS_SNI', 'HTTP_HOST']
ruleVariables:
ipSets:
name: HOME_NET
definition:
- '{{top-level-cidr}}'
portSets:
name: INTERNAL_PORTS
definition:
- '80'
- '443'
shareTargets:
organizationalUnits:
- Root
- name: prod-stateful-group
regions:
- eu-west-1
capacity: 1000
type: STATEFUL
ruleGroup:
statefulRuleOptions: STRICT_ORDER
ruleVariables:
ipSets:
name: HOME_NET
definition:
- "{{prod-eu-west-1-pool}}"
portSets:
name: INTERNAL_PORTS
definition:
- '80'
- '443'
rulesSource:
rulesFile: firewall-config-rules/prod-rules.txt
shareTargets:
organizationalUnits:
- Root
This configuration establishes a robust Network Firewall setup in the LZA, enabling granular control over network traffic and enhancing security by filtering traffic based on domain names, IP addresses, ports, and other criteria defined in the rule groups and the external rule file. The use of stateful inspection and an allowlist approach further strengthens security by blocking all traffic except that which is explicitly allowed.
- Create a plain text file (e.g., firewall-config-rules/prod-rules.txt) containing your Suricata rules. This file will be used by AWS Network Firewall to filter network traffic according to your defined rules.
pass ip $HOME_NET any -> $HOME_NET $INTERNAL_PORTS (sid:100;)
drop http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Drop HTTP traffic"; sid:101;)
drop tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Drop HTTPs traffic"; sid:102;)
drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"Default Egress UDP block";sid:202308172;)
drop icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Default Egress ICMP block";sid:202308177;)
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Default Ingress block to server"; flow:to_server; sid:20230813;)
drop udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Default Ingress UDP block"; sid:202308174;)
drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"Default Ingress ICMP block"; sid:202308179;)
drop ip any any -> any any (noalert; ip_proto:!TCP; ip_proto:!UDP; ip_proto:!ICMP; sid:21801620;)
#alert tcp any any -> 1.1.1.1/32 80 (sid:102;msg:"example message";)
Wrapping Up
In this part, we’ve explored the networking capabilities of the LZA, covering IPAM, Transit Gateway, Network Orchestrator, Service Catalog for VPC provisioning, centralised VPC endpoints, and Network Firewall for traffic inspection. By implementing these configurations, you establish a robust, secure, and scalable network foundation for your AWS workloads.
In the next part of this series, I’ll dive deeper into security configurations within the LZA, including how to implement security best practices and protect your valuable resources. Stay tuned for more insights and practical guidance on maximising the benefits of the AWS Landing Zone Accelerator!