What is AWS Network Firewall? - AWS Network Firewall

What is AWS Network Firewall?

AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you create in Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect.

Network Firewall uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection, and supports Suricata compatible rules. AWS Network Firewall supports Suricata version 7.0. For more information, see Working with stateful rule groups in AWS Network Firewall and the Suricata website.

You can use Network Firewall to monitor and protect your Amazon VPC traffic in a number of ways, including the following:

  • Pass traffic through only from known AWS service domains or IP address endpoints, such as Amazon S3.

  • Use custom lists of known bad domains to limit the types of domain names that your applications can access.

  • Perform deep packet inspection on traffic entering or leaving your VPC.

  • Use stateful protocol detection to filter protocols like HTTPS, independent of the port used.

To enable Network Firewall for your VPC, you perform steps in both Amazon VPC and in Network Firewall. For information about managing your Amazon Virtual Private Cloud VPC, see the Amazon Virtual Private Cloud User Guide. For more information about how Network Firewall works, see How AWS Network Firewall works.

Network Firewall is supported by AWS Firewall Manager. You can use Firewall Manager to centrally configure and manage your firewalls across your accounts and applications in AWS Organizations. You can manage firewalls for multiple accounts using a single account in Firewall Manager. For more information, see AWS Firewall Manager in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.

AWS Network Firewall​ AWS resources

Network Firewall manages the following AWS resource types:

  • Firewall – Provides traffic filtering logic for the subnets in a VPC.

  • FirewallPolicy – Defines rules and other settings for a firewall to use to filter incoming and outgoing traffic in a VPC.

  • RuleGroup – Defines a set of rules to match against VPC traffic, and the actions to take when Network Firewall finds a match. Network Firewall uses stateless and stateful rule group types, each with its own Amazon Resource Name (ARN).

AWS Network Firewall concepts

AWS Network Firewall is a firewall service for Amazon Virtual Private Cloud (Amazon VPC). For information about managing your Amazon Virtual Private Cloud VPC, see the Amazon Virtual Private Cloud User Guide.

The following are the key concepts for Network Firewall:

  • Virtual private cloud (VPC) – A virtual network dedicated to your AWS account.

  • Internet gateway – A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.

  • Subnet – A range of IP addresses in your VPC. Network Firewall creates firewall endpoints in subnets inside your VPC, to filter network traffic. In a VPC architecture that uses Network Firewall, the firewall endpoints sit between your protected subnets and locations outside your VPC.

  • Firewall subnet – A subnet that you've designated for exclusive use by Network Firewall for a firewall endpoint. A firewall endpoint can't filter traffic coming into or going out of the subnet in which it resides, so don't use your firewall subnets for anything other than Network Firewall.

  • Route table – A set of rules, called routes, that are used to determine where network traffic is directed. You modify your VPC route tables in Amazon VPC to direct traffic through your firewalls for filtering.

  • Network Firewall firewall – An AWS resource that provides traffic filtering logic for the subnets in a VPC.

  • Network Firewall firewall policy – An AWS resource that defines rules and other settings for a firewall to use to filter incoming and outgoing traffic in a VPC.

  • Network Firewall rule group – An AWS resource that defines a set of rules to match against VPC traffic, and the actions to take when Network Firewall finds a match.

  • Stateless rules – Criteria for inspecting a single network traffic packet, without the context of the other packets in the traffic flow, the direction of flow, or any other information that's not provided by the packet itself.

  • Stateful rules – Criteria for inspecting network traffic packets in the context of their traffic flow.

Accessing AWS Network Firewall

You can create, access, and manage your firewall, firewall policy, and rule group resources in Network Firewall using any of the following methods:

  • AWS Management Console – Provides a web interface for managing the service. The procedures throughout this guide explain how to use the AWS Management Console to perform tasks for Network Firewall. You can access the AWS Management Console at https://aws.amazon.com/console. To access Network Firewall using the console:

    https://<region>.console.aws.amazon.com/network-firewall/home
  • AWS Command Line Interface (AWS CLI) – Provides commands for a broad set of AWS services, including Network Firewall. The CLI is supported on Windows, macOS, and Linux. For more information, see the AWS Command Line Interface User Guide. To access Network Firewall using the CLI endpoint:

    aws network-firewall
  • AWS Network Firewall API – Provides a RESTful API. The REST API requires you to handle connection details, such as calculating signatures, handling request retries, and handling errors. For more information, see AWS APIs and the AWS Network Firewall API Reference. To access Network Firewall, use the following REST API endpoint:

    https://network-firewall.<region>.amazonaws.com
  • AWS SDKs – Provide language-specific APIs. If you're using a programming language that AWS provides an SDK for, you can use the SDK to access AWS Network Firewall. The SDKs handle many of the connection details, such as calculating signatures, handling request retries, and handling errors. They integrate easily with your development environment, and provide easy access to Network Firewall commands. For more information, see Tools for Amazon Web Services.

  • AWS CloudFormation – Helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want and AWS CloudFormation takes care of provisioning and configuring those resources for you. For more information, see Network Firewall resource type reference in the AWS CloudFormation User Guide.

  • AWS Tools for Windows PowerShell – Let developers and administrators manage their AWS services and resources in the PowerShell scripting environment. For more information, see the AWS Tools for Windows PowerShell User Guide.

Regions and endpoints for AWS Network Firewall

To view the complete list of AWS Regions where Network Firewall is available, see Service endpoints and quotas in the AWS General Reference.

IPv4 endpoints

https://network-firewall.<region>.amazonaws.com

Dual-stack (IPv4 and IPv6) endpoints

Dual-stack endpoints support both IPv4 and IPv6 traffic. When you make a request to a dual-stack endpoint, the endpoint URL resolves to an IPv6 or IPv4 address, depending on the protocol used by your network and client.

https://network-firewall.<region>.api.aws

Pricing for AWS Network Firewall

For detailed information about pricing for Network Firewall, see AWS Network Firewall pricing.

Some configurations can incur additional costs, on top of the basic costs for using Network Firewall. For example, if you use a firewall endpoint in one Availability Zone to filter traffic from another zone, you can incur cross-zone traffic charges. If you enable logging, you incur additional charges according to factors such as the logging destination that you use and the amount of traffic that you choose to log.

AWS Network Firewall quotas

AWS Network Firewall defines maximum settings and other quotas on the number of Network Firewall resources that you can use. You can request an increase for some of these quotas. For more information, see AWS Network Firewall quotas.

AWS Network Firewall additional resources

To get a hands-on introduction to AWS Network Firewall, complete Getting started with AWS Network Firewall.

Use the following resources to get additional information and guidance for using AWS Network Firewall.