A firewall is an optional layer of security for your subnets. After you associate one or more subnets with a firewall, you can control traffic in and out of the subnets.
Figure 1 shows how a firewall works.
Similar to security groups, firewalls control access to subnets and add an additional layer of defense to your subnets. Security groups only have the "allow" rules, but firewalls have both "allow" and "deny" rules. You can use firewalls together with security groups to implement comprehensive and fine-grained access control.
Differences Between Security Groups and Firewalls summarizes the basic differences between security groups and firewalls.
Firewall Basics
- Your VPC does not come with a firewall, but you can create a firewall and associate it with a VPC subnet if required. By default, each firewall denies all inbound traffic to and outbound traffic from the associated subnet until you add rules.
- You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time.
- Each newly created firewall is in the Inactive state until you associate subnets with it.
Default Firewall Rules
By default, each firewall has preset rules that allow the following packets:
- Packets whose source and destination are in the same subnet
- Broadcast packets with the destination 255.255.255.255/32, which is used to configure host startup information.
- Multicast packets with the destination 224.0.0.0/24, which is used by routing protocols.
- Metadata packets with the destination 169.254.169.254/32 and TCP port number 80, which is used to obtain metadata.
- Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16)
- A firewall denies all traffic in and out of a subnet excepting the preceding ones. Table 1 shows the default firewall rules. You cannot modify or delete the default rules.
Rule Priorities
- Each firewall rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority.
- If multiple firewall rules conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule.
Application Scenarios
- If the application layer needs to provide services for users, traffic must be allowed to reach the application layer from all IP addresses. However, you also need to prevent illegal access from malicious users.
Solution: You can add firewall rules to deny access from suspect IP addresses.
- How can I isolate ports with identified vulnerabilities? For example, how do I isolate port 445 that can be exploited by WannaCry worm?
Solution: You can add firewall rules to deny access traffic from a specific port and protocol, for example, TCP port 445.
- No defense is required for the east-west traffic between subnets, but access control is required for north-south traffic.
Solution: You can add firewall rules to protect north-south traffic.
- For frequently accessed applications, a security rule sequence may need to be adjusted to improve performance.
Solution: A firewall allows you to adjust the rule sequence so that frequently used rules are applied before other rules.
Configuration Procedure
Figure 2 shows the procedure for configuring a firewall.
- Create a firewall by following the steps described in Creating a Firewall.
- Add firewall rules by following the steps described in Adding a Firewall Rule.
- Associate subnets with the firewall by following the steps described in Associating Subnets with a Firewall. After subnets are associated with the firewall, the subnets will be protected by the configured firewall rules.