Introducing Prefix Lists in AWS Network Firewall Stateful Rule Groups

Previously you needed to update individual AWS Network Firewall rules when scaling your network to add new IP addresses. The release of this new feature means that you can update the relevant prefix list, and all of the Network Firewall rule groups that reference the prefix list are automatically updated. Both customer-managed and AWS-managed prefix lists can be referenced in the stateful firewall rule. Both 5-tuple and Suricata-compatible IPS rule types support referencing prefix lists.

How prefix lists referencing works

Prefix lists let you group multiple CIDR blocks into a single object. You can choose to group together common traffic sources or destinations like remote branch offices connected to AWS via SD-WAN, or customer CIDR blocks. Then, you can easily reference these prefix lists in a stateful rule group. Whenever there’s an addition or deletion of CIDR entries from the referenced prefix list, the change is automatically propagated to the rule group and thus every network firewall using the rule group.

Configuration steps

Get started by first creating a prefix list using the AWS Command Line Interface (AWS CLI), or console. Then follow along with the following examples. Alternatively, you can use an AWS-managed prefix list. If you already have the required prefix list created, then you can skip this step.

Example 1: Using a prefix list in a 5-tuple rule

1. Navigate to the AWS Network Firewall section in the VPC management console. Choose Network Firewall rule groups and choose Create Network Firewall rule group.
2. Select Stateful rule group and complete the required fields. Refer to Creating a stateful rule group for more information. Next, select 5-tuple as shown in the following figure.
   

   Figure 1: Network Firewall rule group creation wizard

3. Expand the IP set reference section as shown in the following figure, and choose Add another IP set reference. Give a friendly name to the IP set reference variable and select the IP set reference ID for the prefix list that you want to reference in the rule. You can define one or more IP set reference variables in this step.
   

   Figure 2: IP set reference section

4. Complete the Add rule section. See Creating a stateful rule group for more information. Then, in either the source or the destination field, you can use the friendly name that you created in the previous step prefixed with the ‘@’ symbol. In our example, it’s @branchoffices, as shown in the following figure. Configure the traffic direction and the rule action as pass, drop, or alert, depending on your preferences.
   

   Figure 3: Add rule section

5. Next, choose Add rule and you can see that the rule is successfully created as shown in the following figure.
   

   Figure 4: Rules inside the rule group

6. Next, choose Create stateful rule group and you can see that the rule group is successfully created. Once the rule group is created, the IP set reference will be visible when examining the rule group configuration as shown in the following figure.
   

   Figure 5: Rule group configuration showing the IP set reference

Example 2: Using a prefix list in a Suricata compatible IPS rule

1. Navigate to the AWS Network Firewall section in the VPC management console. Choose Network Firewall rule groups and choose Create Network Firewall rule group.
2. Select Stateful rule group and complete the required fields. See Creating a stateful rule group for help. Next, select Suricata compatible IPS rules as shown in the following figure.
   

   Figure 6: Network Firewall rule group creation wizard

3. Expand the IP set reference section as shown in the following figure, and choose Add another IP set reference. Give a friendly name to the IP set reference variable and select the IP set reference ID for the prefix list that you want to reference in the rule. You can define one or more IP set reference variables in this step.
   

   Figure 7: IP set reference section

4. In Suricata compatible IPS rules section, enter the rule or rules that you created, and reference the friendly name of the IP set reference that you defined earlier using an @ symbol. In our example, it’s @Customer1Subnet as shown in the following figure.
   

   Figure 8: Network Firewall rule group creation wizard showing the example rule

5. Choose Create stateful rule group as shown in the following figure and you can see the rule group successfully created.
   

   Figure 9: Create stateful rule group button

6. Select the rule group that you just created and verify the IP set reference in the Rules section, as well as the IP set reference section as shown in the following figure.
   

   Figure 10: Rule group configuration showing the IP set reference

Considerations

Note the following considerations:

• Prefix lists work with stateful rules. You can use prefix lists with Suricata compatible rules and 5-tuple rules to filter by source and destination IP, port, and protocol. Prefix lists work with action-based ordering (pass, drop, alert) and strict (numeric) rule ordering. You can’t use prefix lists with stateless rules or FQDN rules.
• For referencing in a stateful rule, you can choose to create your own custom prefix lists or use a prefix list managed by AWS.
• When referencing an IP set variable, make sure that you use the syntax @prefix-list-name rather than $prefix-list-name.
• As of the writing of this post, Network Firewall only supports IPv4 traffic. Although prefix lists can contain IPv6 entries, Network Firewall currently works with IPv4 prefix lists only. If you attempt to add an IPv6 prefix list, then an error message will be displayed in the console.
• 1,000 CIDRs is the default limit for the number of entries in a prefix list. This limit is adjustable in the Prefix List Service.
• The ability to reference prefix lists in stateful rule groups is available now in all commercial AWS regions. AWS GovCloud support is coming soon.
• There’s no additional cost for using Prefix Lists with Network Firewall. Refer to the service documentation to get stared.

Conclusion

The ability to reference prefix lists in Network Firewall rule groups makes the management of groups of networks easier for various use cases. This feature will benefit organizations that wish to more tightly control their Network Firewall rules. Prefix lists can also be referenced across accounts, which makes central management of prefix lists possible. For further information about this feature, refer to the AWS Network Firewall User Guide.