Tags: aws, network, security



This article describes steps for configuring an AWS Network Firewall for use with Kublr provisioned Kubernetes clusters.

Manual Configuration

We assume that you have a Kublr-provisioned AWS Kubernetes cluster.

You will need the following information about the cluster:

1. The cluster VPC name; usually it has the format <cluster-name>-aws1-vpc

2. The cluster VPC IPv4 CIDR; usually it is

3. The cluster Internet Gateway (IGW) name and ID; usually its name has format <cluster-name>-aws1-igw

4. The cluster public routing table name: usually its name has the format <cluster-name>-aws1-rt

Follow the steps below to create an AWS Network Firewall and configure Kublr cluster to use it.

Step 1. Create a new subnet in the cluster's VPC for the AWS Network Firewall endpoint

Subnet name: <cluster-name>-aws1-subnet-net-fw

Subnet CIDR:

The subnet CIDR must use the range not used by subnets created by Kublr.

If the cluster uses the standard VPC CIDR, then it is safe to use the suggested CIDR

Please refer to Kublr documentation, "VPC and Subnet CIDRs" section, to select a CIDR to avoid conflicts for non-standard/custom CIDR configurations.

Step 2. Create a routing table for <cluster-name>-aws1-subnet-net-fw subnet

Routing table name: <cluster-name>-aws1-rt-net-fw
Add a route to <internetet-gateway-ID>

Associate the route table with subnet <cluster-name>-aws1-subnet-net-fw

Step 3. Create a firewall

Firewall name: <cluster-name>-aws1-subnet-net-fw

Select the cluster VPC and the subnet <cluster-name>-aws1-subnet-net-fw created on the step 1 when creating.

When the firewall is fully provisioned, make a note of the firewall endpoint ID, which normally has a format vpce-...

Step 4. Change Kublr public routing table <cluster-name>-aws1-rt

Change the route to <internetet-gateway-ID> to to <firewall-endpoint-ID>

Step 5. Create a routing table for the cluster IGW

Routing table name: <cluster-name>-aws1-rt-igw

Add a route (cluster VPC) to <firewall-endpoint-ID>
Associate the routing table with the IGW; this option is available in the section "Edge Associations"

Now you can associate firewall policies, rule groups and rules with the firewall.