I work for an incident response firm, we respond to ransomware attacks- and as such, network isolation is quite important. This environment is entirely in AWS- 1 single vpc with about 200 instances.
My situation is that I need to block outgoing traffic, for every instance, but allow for some specific FQDN’s/services to get through. This problem is worsened by the fact that these services that need to be allowed through, cannot be allowed via CIDR block/IP, as they are load balanced, everytime you nslookup the FQDN, different IPs are returned, so… security groups are not ideal. Normally, when working with a firewall appliance, it would be as simple as making a single ACL rule to block all and another to allow the specific FQDN.
I did make a security group to block all outbound traffic, however the way this environment is setup, each individual instance has it’s own security group configured. So to employ my blocker security group, I would have to remove each instance’s currently configured security groups, which would probably break things and I wouldn’t remember what groups each one originally had. If only I could deploy this blocking security group at the entire VPC level.
My next thought, was Route53 DNS firewall. I went ahead and configured the rules to block all domains except my specific FQDN. Applied it to the VPC. Alas- not working. I presume (after checking instance current DNS settings) this is because these instances are configured to use Active Directory DNS, which is running on another Windows Server instance running as a DC.
Any ideas here??? It seems way too convoluted and difficult for such a simple task. I’m starting to look into the 3rd party virtual firewall appliances in the aws marketplace, however I really don’t want to have to mess with adding additional subnets and messing with the routing table etc to get this solved.
Any input is greatly appreciated.
Intuitively, Route53 DNS Resolver is an applicable tool.
It would work, if you could route DNS traffic from your VPC to the resolver.
The complication is the AD DNS server. You may need to either configure your resolver rules there, or add your Route53 resolver into the chain…
Assuming your instances are all configured for the AD DNS, and that’s inside the VPC, you may be able to point it to the R53 Resolver rather than an external address.
<AWS Support and Customer Service Contact Info | Amazon Web Services PDF> has some ideas and diagrams that may be useful.
AWS Network Firewall might be an option?
Might involve a certain amount of routing changes to get it working, but that might be inevitable.
Yeah, network firewall is what you want. It will need routing changes but not massive ones.
Thanks guys for your replys - since I posted this I was able to setup network firewall, and route53 dns to forward internal query’s to the ec2 instances running as domain controllers/dns
