Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.
📘AWS Certified Advanced Networking – Specialty
📌 1. What Are Security Appliances?
Security appliances are devices or software used to protect networks by controlling, filtering, and inspecting traffic.
The most important example for this exam is:
👉 Firewalls
A firewall is a system that:
- Monitors network traffic
- Applies security rules
- Allows or blocks traffic based on those rules
📌 2. Why Firewalls Are Important in Hybrid AWS Environments
When connecting:
- On-premises network ↔ AWS Cloud
You must protect:
- Data moving between networks
- Applications running in AWS
- Internal systems from external threats
Firewalls help enforce:
- Access control
- Segmentation
- Traffic inspection
- Threat prevention
📌 3. Types of Firewalls in AWS Architecture
🔹 3.1 Traditional (On-Premises) Firewalls
Located in:
- Data centers
- Edge networks
Used to:
- Control traffic going to/from AWS
- Work with:
- VPN connections
- AWS Direct Connect
🔹 3.2 AWS Native Firewalls
✅ Security Groups (Instance-level firewall)
- Attached to EC2 instances
- Stateful
- Rules allow traffic only (no deny rules)
✔ Key Features:
- Automatically allows return traffic
- Works at instance level
- Controls:
- Inbound traffic
- Outbound traffic
✅ Network ACLs (Subnet-level firewall)
- Applied to subnets
- Stateless
✔ Key Features:
- Requires rules for both directions
- Supports:
- Allow rules
- Deny rules
- Evaluated in order (rule numbers)
✅ AWS Network Firewall
A managed, advanced firewall service
✔ Features:
- Deep packet inspection
- Stateful & stateless filtering
- Intrusion detection & prevention
- Centralized security policies
✔ Used in:
- VPC-level protection
- Inspection VPC architectures
🔹 3.3 Third-Party Firewalls (Security Appliances)
Deployed from AWS Marketplace (e.g., Fortinet, Palo Alto, Check Point)
✔ Features:
- Advanced threat protection
- URL filtering
- SSL inspection
- IDS/IPS (Intrusion Detection/Prevention)
✔ Deployed as:
- EC2 instances
- In high-availability setups
📌 4. Firewall Placement in AWS Hybrid Architecture
🔸 4.1 Edge Firewall (On-Premises Side)
- Controls traffic entering/exiting data center
- Works with:
- VPN
- Direct Connect
🔸 4.2 VPC-Level Firewall (AWS Side)
- AWS Network Firewall or third-party firewall
- Inspects traffic entering VPC
🔸 4.3 Subnet-Level Protection
- Network ACLs
🔸 4.4 Instance-Level Protection
- Security Groups
📌 5. Firewall Behavior: Stateful vs Stateless
🔹 Stateful Firewall
- Tracks connection state
- Automatically allows return traffic
✔ Examples:
- Security Groups
- AWS Network Firewall (stateful mode)
🔹 Stateless Firewall
- Does NOT track connections
- Requires rules for both directions
✔ Example:
- Network ACLs
📌 6. Common Firewall Use Cases in AWS
🔸 6.1 Securing VPN Connections
- Filter traffic coming from on-premises
- Allow only required ports (e.g., HTTPS, SSH)
🔸 6.2 Securing Direct Connect
- Control traffic between:
- Corporate network
- AWS VPC
🔸 6.3 Inspection VPC (Centralized Security)
A dedicated VPC that:
- Contains firewall appliances
- Inspects all traffic before reaching application VPCs
✔ Often used with:
- AWS Transit Gateway
🔸 6.4 East-West Traffic Inspection
- Traffic between EC2 instances
- Controlled using:
- Security Groups
- Internal firewalls
🔸 6.5 North-South Traffic Inspection
- Traffic entering/leaving AWS
- Controlled using:
- Edge firewalls
- AWS Network Firewall
📌 7. Integration with AWS Networking Services
🔹 AWS Transit Gateway
- Central hub for VPCs and on-prem networks
- Can route traffic through firewalls for inspection
🔹 VPC Routing Tables
- Used to send traffic to firewall appliances
Example:
- Route traffic → firewall → destination
🔹 Gateway Load Balancer (GWLB)
- Used to deploy and scale firewall appliances
✔ Benefits:
- High availability
- Load balancing
- Transparent traffic redirection
📌 8. High Availability for Firewalls
For the exam, remember:
Firewalls must be:
- Highly available
- Fault tolerant
✔ Achieved by:
- Deploying across multiple AZs
- Using:
- Auto Scaling
- Load balancing (GWLB)
📌 9. Security Best Practices
✅ Use Layered Security (Defense in Depth)
Combine:
- Security Groups
- Network ACLs
- AWS Network Firewall
- Third-party appliances
✅ Least Privilege Access
- Allow only required traffic
- Deny everything else
✅ Centralized Inspection
- Use Inspection VPC
- Route all traffic through firewalls
✅ Logging and Monitoring
Enable:
- VPC Flow Logs
- Firewall logs
✅ Use Managed Services Where Possible
- AWS Network Firewall reduces management effort
📌 10. Exam Tips (VERY IMPORTANT)
🔥 Key Concepts to Remember:
✔ Difference:
- Security Groups → Stateful
- NACLs → Stateless
✔ Firewall Layers:
- Instance → Security Group
- Subnet → NACL
- VPC → Network Firewall
✔ Inspection:
- Use Transit Gateway + Inspection VPC
✔ Scaling:
- Use Gateway Load Balancer
✔ Hybrid Security:
- Combine on-prem firewall + AWS firewall
📌 11. Common Exam Scenarios
Be ready for questions like:
- “How to inspect traffic between multiple VPCs?”
→ Use Transit Gateway + firewall in inspection VPC - “How to scale firewall appliances?”
→ Use Gateway Load Balancer - “How to block specific IP ranges at subnet level?”
→ Use Network ACL - “How to allow only specific ports to EC2?”
→ Use Security Groups
🧠 Final Summary
Security appliances (firewalls) in AWS are used to:
- Control traffic between on-premises and AWS
- Protect applications and data
- Enforce security policies
They exist at multiple levels:
| Level | Tool Used |
|---|---|
| Instance | Security Groups |
| Subnet | Network ACLs |
| VPC | AWS Network Firewall |
| Advanced | Third-party firewalls |
If you understand:
- Firewall types
- Placement strategies
- Integration with AWS services
- Stateful vs stateless behavior
👉 You are well-prepared for this exam section.
