(aws-networkfirewall): L2 construct(s) #19209
Labels
@aws-cdk/aws-networkfirewall
Related to AWS Network Firewall
closed-for-staleness
This issue was automatically closed because it hadn't received any attention in a while.
effort/large
Large work item – several weeks of effort
feature/new-construct
A request for a new L2 construct
feature-request
A feature should be added or improved.
p2
Description
Currently, there only are generated L1 constructs for the relatively new AWS Network Firewall service. The deployment of a network firewall with corresponding routing through several subnets is a bit cumbersome with those constructs and could heavily benefit from sophisticated L2 constructs.
Use Case
The approaches how one can/should deploy a network firewall are structured clear as can be seen in this AWS workshop.
However, with the L1 constructs one has to go "all the way" and implement all the bits and pieces of the architecture. This requires to write boilerplate code in several places. The most annoying one being the retrieval of the network firewall's VPC endpoint IDs.
I solved this problem with an
AwsCustomResource
looking somewhat like this:This seems like a recurring use-case that shouldn't require the user to write boilerplate.
Another use-case for L2 constructs would be the decoupling of the firewall policy and rule groups. Currently (to my knowledge) all rule groups must be specified inline in the properties of
CfnFirewallPolicy
. It would be nice to be able to add more rule groups to an existing firewall policy from other stacks.Proposed Solution
Implement L2 constructs for the network firewall entities, that...
NetworkFirewall
L2 constructs allows the user to automatically deploy a firewall subnet for each AZ and to automatically create the Firewall policyFirewallPolicy.fromFirewallPolicyArn(...)
so that one can add more rule groups to an existing firewall policy from another stackDomainAllowList
andDomainDenyList
class that wraps all the recurring code.This is just a loose collection of ideas. I'm sure there's more that can be done, so feel free to add more ideas.
Other information
No response
Acknowledge
The text was updated successfully, but these errors were encountered: