AWS Network Firewall

We make use of AWS Network Firewalls in two ways. First, we use a centralised inspection VPC to control traffic entering and exiting the Modernisation Platform to and from internal Ministry of Justice services. Second, we use inline-inspection in our egress VPCs to control traffic exiting the Modernisation Platform to the internet.

What is an AWS network firewall

To learn more about AWS firewall please follow the links bellow

• AWS Firewall
• AWS Firewall Training

Amending Rules

Rules can be amended by creating a pull request against the modernisation-platform repo and amending one of the following four file names in the terraform/environments/core-network-services directory.

• development_rules.json
• test_rules.json
• preproduction_rules.json
• production_rules.json

The rules files are broken down by environment and not account to make it easier to keep track of changes, see below our CIDR ranges to help with forming new rules.

• CIDR Ranges

Rules are made up of a rule description and an action which would either be the DROP, PASS or ALERT, which would block, allow or monitor traffic based on the source IP or CIDR range then a destination IP or CIDR range, the port number is required next finally the protocol used.

These rules are formatted in json format and a text example is shown below.

"example_rule": {
    "action": "PASS",
    "source_ip": "10.200.0.0/19",
    "destination_ip": "10.26.0.0/19",
    "destination_port": "1621",
    "protocol": "TCP"
  }

To add a rule to the AWS network firewall start by cloning the repository then create a new branch, then copy and paste the above code snippet in to the appropriate json file for the environment you are dealing with.

Change the details for the description and other fields in the code snippet to their appropriate values.

Once this is complete commit your change and create a pull request for the modernisation platform team to review.

FQDN Firewall Rules

We make use of FQDN-based inspection on the HTTP_HOST or TLS_SNI header values of packets. This allows us to permit traffic based on domain names, rather than combinations of IP address and destination port. This is primarily of interest to customers attempting to reach HTTP endpoints on the internet from resources in their Modernisation Platform accounts.

• Centralised FQDN Rules
• Inline FQDN Rules

Below is an example of the file contents. You can raise a pull request to add domains to this list. This can be either the full DNS name (eg. example.com) or for the root domain and any sub domains prefix a full stop (eg. .example.com).

{
  "fw_allowed_domains": [
    "microsoft.com",
    ".windowsupdate.microsoft.com",
    ".update.microsoft.com",
    ".windowsupdate.com",
    ".download.windowsupdate.com",
    "wustat.windows.com",
    "ntservicepack.microsoft.com",
    "stats.microsoft.com"
  ],
  "fw_home_net_ips": ["10.26.0.0/16", "10.27.0.0/16"]
}

Example

Below is a link to the HashiCorp Terraform documentation for the Terraform resource that describes the options that can be used with the resource.

Also there is a link to an example of PR of how to add rules, in this example there is one additional rule that is added for the network firewall.

• Terraform Code
• Example PR

This page was last reviewed on 11 January 2024. It needs to be reviewed again on 11 July 2024 by the page owner #modernisation-platform .

This page was set to be reviewed before 11 July 2024 by the page owner #modernisation-platform. This might mean the content is out of date.