Tags: aws, network, security
TABLE OF CONTENTS
This article describes steps for configuring an AWS Network Firewall for use with Kublr provisioned Kubernetes clusters.
We assume that you have a Kublr-provisioned AWS Kubernetes cluster.
You will need the following information about the cluster:
1. The cluster VPC name; usually it has the format <cluster-name>-aws1-vpc
2. The cluster VPC IPv4 CIDR; usually it is 172.16.0.0/16
3. The cluster Internet Gateway (IGW) name and ID; usually its name has format <cluster-name>-aws1-igw
4. The cluster public routing table name: usually its name has the format <cluster-name>-aws1-rt
Follow the steps below to create an AWS Network Firewall and configure Kublr cluster to use it.
Step 1. Create a new subnet in the cluster's VPC for the AWS Network Firewall endpoint
Subnet name: <cluster-name>-aws1-subnet-net-fw
Subnet CIDR: 172.16.0.0/28
The subnet CIDR must use the range not used by subnets created by Kublr.
If the cluster uses the standard VPC CIDR 172.16.0.0/16, then it is safe to use the suggested CIDR 172.16.0.0/28.
Please refer to Kublr documentation, "VPC and Subnet CIDRs" section, to select a CIDR to avoid conflicts for non-standard/custom CIDR configurations.
Step 2. Create a routing table for <cluster-name>-aws1-subnet-net-fw subnet
Routing table name: <cluster-name>-aws1-rt-net-fw
Add a route 0.0.0.0/0 to <internetet-gateway-ID>
Associate the route table with subnet <cluster-name>-aws1-subnet-net-fw
Step 3. Create a firewall
Firewall name: <cluster-name>-aws1-subnet-net-fw
Select the cluster VPC and the subnet <cluster-name>-aws1-subnet-net-fw created on the step 1 when creating.
When the firewall is fully provisioned, make a note of the firewall endpoint ID, which normally has a format vpce-...
Step 4. Change Kublr public routing table <cluster-name>-aws1-rt
Change the route 0.0.0.0/0 to <internetet-gateway-ID> to 0.0.0.0/0 to <firewall-endpoint-ID>
Step 5. Create a routing table for the cluster IGW
Routing table name: <cluster-name>-aws1-rt-igw
Add a route 172.16.0.0/16 (cluster VPC) to <firewall-endpoint-ID>
Associate the routing table with the IGW; this option is available in the section "Edge Associations"
Now you can associate firewall policies, rule groups and rules with the firewall.
- Deployment models for AWS Network Firewall
- AWS Network Firewall example architectures with routing
- Simple single zone architecture with an internet gateway
- Multi zone architecture with an internet gateway
- Architecture with an internet gateway and a NAT gateway
- Kublr AWS Deployment Architecture