AWS Network Firewall
AWS Network Firewall replication with Arpio
Jump To:
Overview:
Network Firewall is an AWS-managed intrusion-prevention service that sits in a VPC and inspects traffic flowing to and from the workloads it protects.
A firewall is meaningless without the policy and rule groups it references, Arpio treats these resources as a connected graph and pulls the dependencies into recovery points automatically.
Note: Arpio orchestrates AWS Network Firewall service to power our Advanced Network Sandbox. See the Network Sandbox documentation for more details around how Arpio deploys Network Firewalls in the sandbox use case, as well as how those interact with customer-managed Network Firewall resource recovery.
Supported Resources
Arpio replicates the following resource types from the AWS Network Firewall service:
Firewall
Arpio replicates selected Firewall resources, deploying them in the corresponding VPC in the recovery environment with the same firewall policy, subnet mapping topology, and protection settings. Firewalls attached to a Transit Gateway instead of a VPC are also supported.
|
Attribute |
Translation |
|---|---|
|
VPC |
Translated to the corresponding VPC that Arpio manages in the recovery environment. |
|
Subnet Mappings |
Translated to the corresponding firewall subnets that Arpio manages in the recovery environment. Subnets are mapped across availability zones to mirror the AZ diversity of the primary environment. |
|
Transit Gateway |
Translated to the corresponding Transit Gateway that Arpio manages in the recovery environment, for firewalls deployed in Transit Gateway mode. |
|
Availability Zone Mappings |
Translated to availability zones in the recovery region, for firewalls deployed in Transit Gateway mode. |
|
Firewall Policy ARN |
Translated to the corresponding firewall policy that Arpio manages in the recovery environment. |
|
Delete Protection, Subnet Change Protection, Firewall Policy Change Protection, Availability Zone Change Protection |
Replicated without translation. |
|
Enabled Analysis Types |
Replicated without translation. Analysis types enabled on the source firewall (e.g., TLS_SNI, HTTP_HOST) are enabled on the replicated firewall. |
|
Encryption Configuration |
Replicated without translation. Customer-managed KMS keys must be multi-region keys for the source key reference to remain valid in the recovery region. Firewalls that use AWS-owned encryption are unaffected. |
|
Tags |
Replicated without translation. |
The following resources are automatically selected into recovery points when a Firewall is selected:
- The Amazon VPC the firewall is attached to, when applicable
- The Transit Gateway the firewall is attached to, when applicable
- The firewall subnets in each protected AZ, when applicable
- The Firewall Policy referenced by the firewall
- Any VPC Endpoint Associations attached to the firewall
Note: Currently, logging configuration is not replicated. After a recovery, you must reconfigure the firewall's logging destinations (CloudWatch log groups, S3 buckets, or Kinesis Data Firehose streams) in the recovery environment.
Firewall Policy
Arpio replicates Firewall Policies along with the rule groups and TLS inspection configurations they reference. Default actions and policy variables are preserved as-is.
|
Attribute |
Translation |
|---|---|
|
Stateless Rule Group References |
Translated to the corresponding stateless rule groups that Arpio manages in the recovery environment. Priority values are replicated without translation. |
|
Stateful Rule Group References |
Translated to the corresponding stateful rule groups that Arpio manages in the recovery environment. Priority and override values are replicated without translation. |
|
Stateless Default Actions, Stateless Fragment Default Actions |
Replicated without translation. |
|
Stateful Default Actions |
Replicated without translation. |
|
Stateful Engine Options (rule order, stream exception policy) |
Replicated without translation. |
|
Policy Variables (IP set references) |
Replicated without translation. |
|
TLS Inspection Configuration ARN |
Translated to the corresponding TLS inspection configuration that Arpio manages in the recovery environment. |
|
Encryption Configuration |
Replicated without translation. Customer-managed KMS keys must be multi-region keys for the source key reference to remain valid in the recovery region. |
|
Tags |
Replicated without translation. |
The following resources are automatically selected into recovery points when a Firewall Policy is selected:
- All stateless and stateful Rule Groups referenced by the policy
- Any TLS Inspection Configuration referenced by the policy
AWS-managed rule groups referenced by a policy are supported; their ARNs are rewritten to point at the equivalent AWS-managed rule group in the recovery region.
Note: Firewall Policies that reference Marketplace-managed rule groups are not currently supported. Please contact Arpio support if you depend on Marketplace-managed rule groups.
Rule Group (Stateless)
Stateless rule groups are replicated with their full rule definitions. Source and destination IP addresses inside match attributes are translated when they fall within a replicated VPC's CIDR, so traffic in the recovery environment is matched against the equivalent recovery-region addresses.
|
Attribute |
Translation |
|---|---|
|
Capacity |
Replicated without translation. |
|
Rule Definitions (match attributes, actions) |
Source and destination addresses in match attributes are translated via VPC address translation when they fall within a replicated VPC's CIDR. Other match attributes (ports, protocols, TCP flags) and rule actions are replicated without translation. |
|
Custom Actions |
Replicated without translation. |
|
Encryption Configuration |
Replicated without translation. |
|
Tags |
Replicated without translation. |
Rule Group (Stateful)
Stateful rule groups are replicated with their full Suricata-compatible rule sets, domain lists, or 5-tuple rule definitions intact. IP addresses embedded in rule headers are translated, and references to Resource Groups or prefix lists are remapped to their recovery-environment equivalents.
|
Attribute |
Translation |
|---|---|
|
Capacity |
Replicated without translation. |
|
Rules String (Suricata) |
Source and destination addresses in Suricata rule headers are translated via VPC address translation when they fall within a replicated VPC's CIDR. Rule actions, options, protocols, and the rest of each rule are replicated without translation. |
|
Rules Source List (domain allow/deny) |
Replicated without translation. |
|
Stateful Rules (5-tuple) |
Source and destination addresses in rule headers are translated via VPC address translation when they fall within a replicated VPC's CIDR. Other header fields and rule options are replicated without translation. |
|
Rule Variables (IP sets, port sets) |
Replicated without translation. |
|
Reference Sets (IP set references) |
Resource Group ARNs are translated to the corresponding Resource Group that Arpio manages in the recovery environment. Customer-managed prefix list ARNs are translated when the prefix list is replicated by Arpio. AWS-managed prefix list ARNs are translated to the equivalent prefix list in the recovery region. |
|
Stateful Rule Options (rule order) |
Replicated without translation. |
|
Encryption Configuration |
Replicated without translation. |
|
Tags |
Replicated without translation. |
The following resources are automatically selected into recovery points when a Rule Group is selected:
- Any Resource Group referenced from an IP set reference in the rule group
- Any VPC whose CIDR contains an IP address embedded in a rule, so the address can be translated
TLS Inspection Configuration
TLS inspection configurations are replicated along with the ACM certificates they depend on.
|
Attribute |
Translation |
|---|---|
|
Server Certificate Configurations |
ACM certificate ARNs in ServerCertificates are translated to the corresponding certificates that Arpio manages in the recovery environment. |
|
Certificate Authority ARN |
Replicated without translation. ACM Private CA references used for inbound TLS inspection may require additional setup in the recovery environment. |
|
Scopes (source and destination CIDRs, ports, protocols) |
Replicated without translation. |
|
Encryption Configuration |
Replicated without translation. |
|
Tags |
Replicated without translation. |
The following resources are automatically selected into recovery points when a TLS Inspection Configuration is selected:
- All ACM certificates referenced from ServerCertificates entries
VPC Endpoint Association
VPC Endpoint Associations attach an additional VPC to an existing Network Firewall, so workloads in that VPC can route traffic through the firewall. They are not selected directly in Arpio. They are pulled into a recovery point automatically when the firewall they reference is selected.
|
Attribute |
Translation |
|---|---|
|
Firewall ARN |
Translated to the corresponding firewall that Arpio manages in the recovery environment. |
|
VPC |
Translated to the corresponding VPC that Arpio manages in the recovery environment. |
|
Subnet Mapping |
Translated to the corresponding subnet that Arpio manages in the recovery environment. |
|
Description |
Replicated without translation. |
|
Tags |
Replicated without translation. |