Tags: aws, network, security

TABLE OF CONTENTS

• Overview
• Manual Configuration
• Reference

Overview

This article describes steps for configuring an AWS Network Firewall for use with Kublr provisioned Kubernetes clusters.

Manual Configuration

We assume that you have a Kublr-provisioned AWS Kubernetes cluster.

You will need the following information about the cluster:

1. The cluster VPC name; usually it has the format <cluster-name>-aws1-vpc

2. The cluster VPC IPv4 CIDR; usually it is 172.16.0.0/16

3. The cluster Internet Gateway (IGW) name and ID; usually its name has format <cluster-name>-aws1-igw

4. The cluster public routing table name: usually its name has the format <cluster-name>-aws1-rt

Follow the steps below to create an AWS Network Firewall and configure Kublr cluster to use it.

Step 1. Create a new subnet in the cluster's VPC for the AWS Network Firewall endpoint

Subnet name: <cluster-name>-aws1-subnet-net-fw

Subnet CIDR: 172.16.0.0/28

The subnet CIDR must use the range not used by subnets created by Kublr.

If the cluster uses the standard VPC CIDR 172.16.0.0/16, then it is safe to use the suggested CIDR 172.16.0.0/28.

Please refer to Kublr documentation, "VPC and Subnet CIDRs" section, to select a CIDR to avoid conflicts for non-standard/custom CIDR configurations.

Step 2. Create a routing table for <cluster-name>-aws1-subnet-net-fw subnet

Routing table name: <cluster-name>-aws1-rt-net-fw
Add a route 0.0.0.0/0 to <internetet-gateway-ID>

Associate the route table with subnet <cluster-name>-aws1-subnet-net-fw

Step 3. Create a firewall

Firewall name: <cluster-name>-aws1-subnet-net-fw

Select the cluster VPC and the subnet <cluster-name>-aws1-subnet-net-fw created on the step 1 when creating.

When the firewall is fully provisioned, make a note of the firewall endpoint ID, which normally has a format vpce-...

Step 4. Change Kublr public routing table <cluster-name>-aws1-rt

Change the route 0.0.0.0/0 to <internetet-gateway-ID> to 0.0.0.0/0 to <firewall-endpoint-ID>

Step 5. Create a routing table for the cluster IGW

Routing table name: <cluster-name>-aws1-rt-igw

Add a route 172.16.0.0/16 (cluster VPC) to <firewall-endpoint-ID>
Associate the routing table with the IGW; this option is available in the section "Edge Associations"

Now you can associate firewall policies, rule groups and rules with the firewall.

Reference

• Deployment models for AWS Network Firewall
• AWS Network Firewall example architectures with routing
• Simple single zone architecture with an internet gateway
• Multi zone architecture with an internet gateway
• Architecture with an internet gateway and a NAT gateway
• Kublr AWS Deployment Architecture