I'm using AWS Network Firewall along with a Windows EC2 instance to test. The goal is to allow access to only allowed URLs, which are:
example.com
.amazon.com
.amazonaws.com
This generally works. Sites like yahoo, reddit, netflix etc are blocked and show up in the alert logs. However, google.com doesn't get blocked from the browser. It only gets blocked from the command line when using curl.
Sequence of events:
1. Open browser
2. Go to google.com -> The site loads without an issue
3. There isn't any entry in the alerts log
4. Open the network tab in the browser and copy the cURL related to google.com
5. Open command prompt
6. Run the cURL command. This is blocked.
7. Check the alerts log. An entry alerting for google.com is present.
My Firewall Policy has the following rules:
Stateless Rule Groups
a. allow-rdp: allows RDP connections from any source to any destination. Action is "pass". I use this otherwise I've issues with logging in using AWS Fleet Manager.
Stateful Rule Groups
a. allowlist: allows specific URLs via HTTPS. List includes example.com, .amazon.com, and .amazonaws.com
My network architecture is similar to the last image here with both the firewall subnet and the customer subnet being public subnets (the route tables are as shown in the link).
