NTC Network Firewall

Release Notes Implementation Blueprint 🔒   Source Code

Migrating to v2?

NTC Network Firewall v2 introduces major improvements including AWS Provider v6 support and AWS European Sovereign Cloud compatibility.

📖 Read the Migration Guide for step-by-step instructions.

Description

NTC Network Firewall provides comprehensive network security through AWS Network Firewall - a managed stateful firewall and intrusion detection/prevention system (IDS/IPS). This building block enables deep packet inspection, domain-based filtering, and Suricata-compatible threat detection to protect your AWS workloads from network-based attacks.

Unlike traditional security controls (Security Groups, NACLs), AWS Network Firewall offers:

• Deep Packet Inspection: Analyze packet contents beyond headers for application-aware filtering
• Domain Filtering: Block or allow traffic by domain name (e.g., *.malicious-site.com)
• IDS/IPS Capabilities: Detect and prevent threats using Suricata-compatible rules
• Centralized Control: Deploy in hub-and-spoke architecture for organization-wide protection
• AWS Managed: Automatic scaling and high availability without infrastructure management

NTC Network Firewall simplifies deployment with support for stateless rules (wire-speed filtering), stateful rules (connection-aware inspection), domain lists, 5-tuple rules, Suricata IPS rules, and AWS-managed threat intelligence. Comprehensive logging to CloudWatch, S3, and Kinesis ensures full visibility into network traffic and security events.

Usage

Latest Release	2.0.0

Loading usage example from blueprint...

Requirements

The following requirements are needed by this module:

• terraform (>= 1.6.0)

• aws (>= 6.15)

Providers

The following providers are used by this module:

• aws (>= 6.15)

Modules

No modules.

Resources

The following resources are used by this module:

• aws_cloudwatch_log_group.ntc_logging (resource)
• aws_kms_alias.ntc_firewall (resource)
• aws_kms_key.ntc_firewall (resource)
• aws_kms_key_policy.ntc_firewall (resource)
• aws_networkfirewall_firewall.ntc_firewall (resource)
• aws_networkfirewall_firewall_policy.ntc_policy (resource)
• aws_networkfirewall_logging_configuration.ntc_logging (resource)
• aws_networkfirewall_rule_group.ntc_stateful (resource)
• aws_networkfirewall_rule_group.ntc_stateless (resource)
• aws_caller_identity.current (data source)
• aws_iam_policy_document.ntc_firewall_kms (data source)
• aws_partition.current (data source)
• aws_region.current (data source)

Required Inputs

The following input variables are required:

firewall_name

Description: Name of the Network Firewall.

Type: string

subnet_ids

Description: List of subnet IDs where Network Firewall endpoints will be created. Subnets must be in different Availability Zones for high availability.

Type: list(string)

vpc_id

Description: ID of the VPC where the Network Firewall will be deployed. VPC must already exist.

Type: string

Optional Inputs

The following input variables are optional (have default values):

aws_managed_rule_groups

Description: List of AWS managed rule groups to attach to the firewall policy. These provide pre-configured protection against common threats.

Type:

list(object({
    name     = string
    priority = number

    # Override default actions for specific managed rules
    override_actions = optional(map(string), {})
  }))

Default: []

delete_protection

Description: Enable deletion protection for the Network Firewall to prevent accidental deletion.

Type: bool

Default: true

description

Description: Description of the Network Firewall and its purpose.

Type: string

Default: null

enabled_traffic_analysis_types

Description: List of traffic analysis types to be enabled for the Network Firewall. Supported types are 'TLS_SNI' and 'HTTP_HOST'. Set to an empty list to disable traffic analysis.

Type: list(string)

Default:

[
  "TLS_SNI",
  "HTTP_HOST"
]

firewall_policy

Description: Configuration for the Network Firewall policy including stateless and stateful rule groups.

Type:

object({
    # Stateless rule groups (processed first, fast packet filtering)
    # 'aws:drop' - drop the packet
    # 'aws:forward_to_sfe' - forward to stateful engine for further inspection
    # 'aws:pass' - allow the packet to proceed without further inspection
    stateless_default_actions          = optional(list(string), ["aws:forward_to_sfe"])
    stateless_fragment_default_actions = optional(list(string), ["aws:forward_to_sfe"])

    # Stateful rule groups (connection tracking, deep packet inspection)
    stateful_default_actions                        = optional(list(string), ["aws:drop_established"])
    stateful_engine_options_rule_order              = optional(string, "STRICT_ORDER")
    stateful_engine_options_stream_exception_policy = optional(string, null)

    # TLS inspection configuration
    tls_inspection_configuration_arn = optional(string, null)
  })

Default: {}

logging_configuration

Description: Network Firewall logging configuration with separate settings for ALERT, FLOW, and TLS log types. Each log type can be sent to CloudWatch Logs (with optional automatic log group creation), S3, or Kinesis Data Firehose.

Type:

object({
    enable_monitoring_dashboard = optional(bool, false)
    alert = optional(object({
      log_destination_type = string # CloudWatchLogs, S3, or KinesisDataFirehose

      # CloudWatch Logs options (only for CloudWatchLogs destination)
      create_log_group = optional(bool, true)
      log_group_name   = optional(string)
      retention_days   = optional(number, 7)

      # S3 options (only for S3 destination)
      s3_bucket_name = optional(string)
      s3_prefix      = optional(string)

      # Kinesis Firehose options (only for KinesisDataFirehose destination)
      kinesis_delivery_stream_name = optional(string)
    }))
    flow = optional(object({
      log_destination_type = string # CloudWatchLogs, S3, or KinesisDataFirehose

      # CloudWatch Logs options (only for CloudWatchLogs destination)
      create_log_group = optional(bool, true)
      log_group_name   = optional(string)
      retention_days   = optional(number, 7)

      # S3 options (only for S3 destination)
      s3_bucket_name = optional(string)
      s3_prefix      = optional(string)

      # Kinesis Firehose options (only for KinesisDataFirehose destination)
      kinesis_delivery_stream_name = optional(string)
    }))
    tls = optional(object({
      log_destination_type = string # CloudWatchLogs, S3, or KinesisDataFirehose

      # CloudWatch Logs options (only for CloudWatchLogs destination)
      create_log_group = optional(bool, true)
      log_group_name   = optional(string)
      retention_days   = optional(number, 7)

      # S3 options (only for S3 destination)
      s3_bucket_name = optional(string)
      s3_prefix      = optional(string)

      # Kinesis Firehose options (only for KinesisDataFirehose destination)
      kinesis_delivery_stream_name = optional(string)
    }))
  })

Default: {}

policy_change_protection

Description: Enable firewall policy change protection to prevent accidental policy modifications.

Type: bool

Default: false

region

Description: AWS region where the resources will be created. Omit to use the provider default region.

Type: string

Default: null

stateful_rule_groups

Description: List of stateful rule groups with support for domain lists, Suricata IPS rules, and 5-tuple rules. Use rule_group_type to specify the type and configure type-specific settings accordingly.

Type:

list(object({
    name            = string
    description     = optional(string, null)
    capacity        = number
    priority        = number
    rule_group_type = string # "domain_list", "suricata", or "5tuple"

    # Domain list configuration (only used when rule_group_type = "domain_list")
    domain_list_config = optional(object({
      type           = string       # ALLOWLIST or DENYLIST
      targets        = list(string) # Domain names
      protocol_types = optional(list(string), ["HTTP_HOST", "TLS_SNI"])
    }), null)

    # Suricata configuration (only used when rule_group_type = "suricata")
    suricata_config = optional(object({
      rules_string   = string
      rule_variables = optional(map(list(string)), {})
    }), null)

    # 5-tuple configuration (only used when rule_group_type = "5tuple")
    five_tuple_config = optional(object({
      rules = list(object({
        action           = string # PASS, DROP, ALERT, or REJECT
        protocol         = string # IP protocol (TCP, UDP, ICMP, etc.)
        source_cidr      = string
        source_port      = string # Can be "ANY" or specific port/range like "80" or "1024:65535"
        direction        = string # FORWARD or ANY
        destination_cidr = string
        destination_port = string # Can be "ANY" or specific port/range
        sid              = number # Unique rule identifier
        description      = optional(string, null)
      }))
    }), null)
  }))

Default: []

stateless_rule_groups

Description: List of stateless rule groups for fast packet filtering based on header information. Rules are evaluated in priority order.

Type:

list(object({
    name        = string
    description = optional(string, null)
    capacity    = number
    priority    = number

    rules = list(object({
      priority = number
      actions  = list(string)

      # Match criteria (all are optional, but at least one should be specified)
      protocols    = optional(list(string), null)
      source_cidrs = optional(list(string), null)
      source_port = optional(object({
        from_port = number
        to_port   = number
      }), null)
      destination_cidrs = optional(list(string), null)
      destination_port = optional(object({
        from_port = number
        to_port   = number
      }), null)
      tcp_flags = optional(list(object({
        flags = list(string)
        masks = list(string)
      })), null)
    }))
  }))

Default: []

subnet_change_protection

Description: Enable subnet change protection to prevent accidental modification of firewall subnet associations.

Type: bool

Default: true

Outputs

The following outputs are exported:

firewall_arn

Description: The ARN of the Network Firewall.

firewall_endpoint_ids

Description: Map of availability zone to firewall endpoint ID.

firewall_endpoint_routing_config

Description: Routing configuration for each firewall endpoint. Use this to configure route tables for inspection traffic.

firewall_id

Description: The unique identifier of the Network Firewall.

firewall_name

Description: The name of the Network Firewall.

firewall_policy_arn

Description: The ARN of the Network Firewall policy.

firewall_policy_id

Description: The unique identifier of the Network Firewall policy.

firewall_status

Description: The current status of the Network Firewall.

firewall_subnet_mappings

Description: Map of availability zone to subnet ID where firewall endpoints are deployed.

stateful_rule_group_arns

Description: Map of stateful rule group names to their ARNs.

stateful_rule_group_ids

Description: Map of stateful rule group names to their IDs.

stateful_rule_groups_by_type

Description: Map of stateful rule groups organized by type (domain_list, suricata, 5tuple).

stateless_rule_group_arns

Description: Map of stateless rule group names to their ARNs.

stateless_rule_group_ids

Description: Map of stateless rule group names to their IDs.