Two tfvars in substrate/environments/ai-sandbox/terraform.tfvars:
# Before
nfw_enforcement_mode = "alert"
dns_firewall_action = "ALERT"
# After
nfw_enforcement_mode = "drop"
dns_firewall_action = "BLOCK"
Substrate modules (network) react to these toggles:
nfw_enforcement_mode = "drop": NFW stateful default action flips from aws:alert_strict to aws:drop_strict. Off-allowlist outbound packets are dropped at the firewall; allowed packets pass.dns_firewall_action = "BLOCK": Route 53 DNS Firewall block rule changes from ALERT to BLOCK. Off-allowlist DNS queries return NXDOMAIN instead of resolving.| Validation | What it proves |
|---|---|
| 30+ days of NFW alert logs | The allowlist of SoR FQDNs (Salesforce, Monday, GitHub, GitBook) matches actual obs-app outbound traffic. No unexpected destinations. |
| 30+ days of DNS Firewall alert logs | No unexpected DNS lookups from agent-tier workloads. The DNS allowlist matches reality. |
| No application-level failures attributable to NFW/DNS | Apps that work in alert will work in drop because the allowlist is the same; only the response to non-matching traffic changes. |
| Rollback is a single PR | If drop mode breaks something, flip the tfvar back to alert in <5 minutes via the same CI workflow. |
aws logs filter-log-events --log-group-name /aws/network-firewall/ai-sandbox. Confirm zero unexpected destinations (only known SoRs).aws route53resolver list-resolver-query-log-config-associations + LogsInsights queries. Confirm zero unexpected DNS names.Standard CI flow:
step-5-nfw-enforcement-flipsubstrate/environments/ai-sandbox/terraform.tfvars — flip the two tfvarsaws_networkfirewall_firewall_policy + aws_route53_resolver_firewall_rule. Should be small, ~2-3 resources.confirm = APPLYIf anything breaks unexpectedly after the flip:
alert / ALERTThe substrate's "modeled completely" principle means every irreversible-sounding change is built to be reversible at the toggle level. NFW enforcement is one tfvar; reverting is one PR; the rollback path is the same as the apply path, just inverted. This is what makes Step 5 a safe move rather than a leap of faith.
vibecode/sdk/v1/sor/* helpers' allowlist becomes the NFW allowlist (defense-in-depth: SDK refuses off-allowlist calls + NFW drops if SDK is somehow bypassed)Step 5 is independent of:
Best timing: after the SES domain verification work lands (so any DNS hiccups during that work don't get blamed on Step 5).